Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations unprepared for an attack. Different versions of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to cause damage. Recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as frequent unnamed malware, not only encrypt online data files but also infiltrate any accessible system protection. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can make any restoration impossible and basically sets the network back to square one.
Recovering services and information after a crypto-ransomware outage becomes a sprint against the clock as the victim tries its best to contain the damage and remove the crypto-ransomware and to restore mission-critical operations. Since crypto-ransomware takes time to replicate, penetrations are often sprung during nights and weekends, when attacks typically take more time to discover. This compounds the difficulty of rapidly marshalling and coordinating a qualified mitigation team.
Progent offers a variety of help services for protecting enterprises from crypto-ransomware penetrations. Among these are staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to discover and disable zero-day cyber threats intelligently. Progent in addition provides the services of veteran ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware event, sending the ransom in cryptocurrency does not ensure that cyber criminals will provide the keys to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the critical parts of your Information Technology environment. Absent access to full information backups, this calls for a broad range of skill sets, well-coordinated project management, and the willingness to work non-stop until the task is done.
For two decades, Progent has provided professional Information Technology services for companies in Edmonton and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently determine necessary systems and consolidate the remaining parts of your IT environment after a ransomware penetration and rebuild them into an operational system.
Progent's recovery team of experts uses best of breed project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of acting quickly and in unison with a customer's management and IT resources to assign priority to tasks and to get critical systems back on line as fast as humanly possible.
Business Case Study: A Successful Ransomware Virus Restoration
A small business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of using technology leaked from America's NSA organization. Ryuk attacks specific companies with little ability to sustain operational disruption and is one of the most lucrative incarnations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area and has about 500 employees. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the start of the attack and were damaged. The client was pursuing financing for paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.
"I can't tell you enough in regards to the care Progent provided us throughout the most critical time of (our) businesses life. We had little choice but to pay the cyber criminals except for the confidence the Progent group gave us. That you could get our e-mail system and important applications back quicker than seven days was amazing. Every single consultant I talked with or messaged at Progent was laser focused on getting us operational and was working 24 by 7 on our behalf."
Progent worked together with the customer to quickly understand and prioritize the essential systems that had to be restored in order to continue business operations:
To start, Progent followed ransomware penetration mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the work of restoring Windows Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the customer's financials and MRP software used Microsoft SQL Server, which requires Active Directory for security authorization to the information.
- Active Directory
- Electronic Mail
Within two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then helped perform setup and storage recovery on critical applications. All Exchange data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Off-Line Folder Files) on user workstations to recover mail data. A not too old off-line backup of the client's accounting software made it possible to return these essential applications back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk damage, essential services were recovered rapidly:
"For the most part, the assembly line operation was never shut down and we made all customer shipments."
Throughout the next couple of weeks critical milestones in the restoration project were completed in tight cooperation between Progent team members and the client:
- In-house web sites were brought back up with no loss of data.
- The MailStore Server exceeding 4 million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were fully recovered.
- A new Palo Alto 850 security appliance was installed.
- Most of the desktop computers were fully operational.
"A huge amount of what transpired during the initial response is nearly entirely a haze for me, but our team will not soon forget the commitment all of you accomplished to give us our business back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This time was a life saver."
A possible business catastrophe was dodged due to top-tier experts, a wide spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus incident detailed here should have been identified and blocked with current cyber security systems and ISO/IEC 27001 best practices, team education, and well designed security procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we got through the most critical parts. All of you did an incredible effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Edmonton a portfolio of online monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to uncover new variants of crypto-ransomware that can evade traditional signature-based anti-virus solutions.
For Edmonton 24x7 Crypto Cleanup Consultants, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to automate the entire malware attack progression including blocking, identification, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge tools packaged within one agent accessible from a single control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup technology companies to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup operations and allow transparent backup and rapid recovery of important files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural disasters, fire, malware such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver centralized control and comprehensive protection for all your email traffic. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, optimize and troubleshoot their networking appliances such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are kept updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating appliances that require important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your network operating efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT personnel and your assigned Progent consultant so that any potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hardware environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to guard endpoints and servers and VMs against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV tools. Progent ASM services protect on-premises and cloud resources and provides a unified platform to automate the entire threat progression including blocking, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Help Center managed services enable your IT group to offload Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal support resources and Progent's nationwide pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a transparent supplement to your in-house network support organization. Client access to the Help Desk, delivery of support, escalation, ticket creation and updates, efficiency measurement, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your corporate IT support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Call Center services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and tracking updates to your dynamic information system. In addition to maximizing the protection and reliability of your IT network, Progent's software/firmware update management services permit your IT team to focus on line-of-business projects and activities that derive the highest business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you sign into a secured online account and give your password you are requested to verify who you are on a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of devices can be utilized as this second means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate several validation devices. For more information about Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time reporting utilities designed to work with the top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-through or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.