Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses unprepared for an assault. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause harm. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with frequent as yet unnamed viruses, not only encrypt on-line critical data but also infect all configured system backups. Data replicated to the cloud can also be corrupted. In a poorly designed data protection solution, this can render automated recovery impossible and effectively knocks the network back to zero.
Restoring programs and information following a ransomware attack becomes a sprint against the clock as the targeted business fights to contain the damage, clear the crypto-ransomware, and restore enterprise-critical activity. Because crypto-ransomware requires time to move laterally, attacks are frequently launched on weekends and holidays, when attacks typically take longer to notice. This compounds the difficulty of quickly assembling and organizing an experienced mitigation team.
Progent makes available a range of solutions for protecting organizations from ransomware penetrations. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security solutions with AI technology from SentinelOne to detect and disable zero-day threats intelligently. Progent in addition can provide the services of expert ransomware recovery engineers with the skills and commitment to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber hackers will respond with the needed codes to decrypt all your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The fallback is to setup from scratch the essential components of your IT environment. Absent access to full information backups, this calls for a broad range of skills, top notch team management, and the ability to work non-stop until the recovery project is complete.
For two decades, Progent has provided expert IT services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise gives Progent the skills to rapidly identify critical systems and re-organize the remaining components of your network environment after a crypto-ransomware event and assemble them into a functioning network.
Progent's security team of experts utilizes best of breed project management applications to orchestrate the complex recovery process. Progent appreciates the importance of working rapidly and in concert with a customer's management and Information Technology staff to prioritize tasks and to get key applications back on-line as soon as humanly possible.
Case Study: A Successful Ransomware Penetration Restoration
A client sought out Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state criminal gangs, suspected of using approaches leaked from America's NSA organization. Ryuk seeks specific organizations with little ability to sustain disruption and is one of the most profitable instances of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago and has about 500 staff members. The Ryuk event had shut down all company operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.
"I can't tell you enough in regards to the help Progent gave us throughout the most critical period of (our) businesses existence. We had little choice but to pay the criminal gangs if it wasn't for the confidence the Progent team gave us. The fact that you could get our messaging and essential servers back online in less than five days was amazing. Every single person I talked with or texted at Progent was absolutely committed on getting us back on-line and was working 24/7 on our behalf."
Progent worked with the client to quickly identify and assign priority to the essential applications that had to be recovered in order to restart business operations:
- Microsoft Active Directory
- Electronic Messaging
- MRP System
To get going, Progent adhered to ransomware event response best practices by isolating and clearing infected systems. Progent then started the work of rebuilding Microsoft AD, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businesses' MRP system leveraged Microsoft SQL, which needs Active Directory services for access to the data.
Within two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery of the most important servers. All Exchange ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on various workstations and laptops to recover email messages. A not too old off-line backup of the customer's accounting software made them able to restore these essential applications back available to users. Although significant work remained to recover fully from the Ryuk attack, core services were returned to operations quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer orders."
Over the next month key milestones in the restoration process were accomplished through tight cooperation between Progent consultants and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Exchange Server with over four million archived messages was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% functional.
- A new Palo Alto Networks 850 firewall was set up.
- 90% of the user PCs were back into operation.
"So much of what occurred during the initial response is nearly entirely a fog for me, but my team will not soon forget the dedication each of the team put in to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered. This event was no exception but maybe more Herculean."
Conclusion
A probable business disaster was evaded by dedicated professionals, a broad array of knowledge, and tight collaboration. Although in hindsight the ransomware virus penetration described here could have been prevented with up-to-date security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we made it over the most critical parts. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Garland a portfolio of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence capability to detect zero-day strains of ransomware that can evade traditional signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely get by traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to address the complete malware attack progression including filtering, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via leading-edge technologies packaged within one agent managed from a unified control. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that allows you prove compliance with legal and industry information security standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with leading backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable transparent backup and rapid recovery of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to provide web-based management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to map, track, reconfigure and debug their connectivity hardware such as routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are kept current, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, finding devices that need critical updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system operating at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent consultant so all looming issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard data related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save up to half of time spent trying to find critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily get by legacy signature-based AV tools. Progent ASM services safeguard local and cloud resources and provides a unified platform to address the complete threat progression including protection, identification, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Call Center: Call Center Managed Services
Progent's Support Desk services enable your information technology staff to outsource Call Center services to Progent or split responsibilities for Service Desk support transparently between your in-house network support staff and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your in-house IT support resources. End user interaction with the Service Desk, delivery of support, escalation, trouble ticket generation and tracking, performance metrics, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your internal network support staff, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Call Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide organizations of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving information network. Besides optimizing the protection and functionality of your computer network, Progent's patch management services free up time for your IT team to focus on more strategic initiatives and activities that deliver the highest business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA services incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected application and give your password you are asked to verify your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized as this added form of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You may designate several validation devices. For more information about ProSight Duo two-factor identity authentication services, see Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth reporting plug-ins designed to work with the industry's top ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Garland Ransomware Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.