Ransomware : Your Feared IT Disaster
Ransomware has become a modern cyber pandemic that represents an extinction-level threat for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus additional as yet unnamed newcomers, not only do encryption of online information but also infect all accessible system restores and backups. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can render automatic restoration useless and effectively sets the datacenter back to zero.
Restoring applications and information following a ransomware outage becomes a sprint against time as the targeted organization fights to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Due to the fact that ransomware needs time to spread, attacks are frequently launched on weekends, when penetrations may take longer to discover. This multiplies the difficulty of rapidly mobilizing and orchestrating an experienced mitigation team.
Progent offers a variety of solutions for securing businesses from crypto-ransomware penetrations. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security solutions with AI capabilities from SentinelOne to detect and quarantine day-zero cyber attacks automatically. Progent in addition provides the assistance of experienced ransomware recovery engineers with the track record and perseverance to reconstruct a compromised network as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the codes to decrypt any or all of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent access to full information backups, this requires a broad complement of skill sets, top notch team management, and the willingness to work continuously until the job is done.
For two decades, Progent has provided professional Information Technology services for businesses in Garland and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top certifications in key technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the skills to knowledgably identify critical systems and re-organize the remaining parts of your computer network environment following a ransomware event and assemble them into an operational network.
Progent's ransomware team of experts uses powerful project management tools to coordinate the complicated recovery process. Progent knows the importance of acting quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to put the most important systems back on-line as fast as humanly possible.
Case Study: A Successful Ransomware Penetration Restoration
A small business escalated to Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state criminal gangs, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk targets specific companies with little tolerance for disruption and is one of the most lucrative instances of crypto-ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk attack had frozen all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I can't say enough in regards to the support Progent provided us during the most critical period of (our) businesses existence. We had little choice but to pay the Hackers except for the confidence the Progent experts provided us. That you could get our e-mail system and production servers back into operation quicker than seven days was beyond my wildest dreams. Every single consultant I spoke to or communicated with at Progent was amazingly focused on getting us operational and was working 24/7 on our behalf."
Progent worked hand in hand the client to quickly get our arms around and assign priority to the most important services that had to be recovered to make it possible to restart departmental functions:
To start, Progent followed Anti-virus event mitigation industry best practices by isolating and cleaning systems of viruses. Progent then initiated the task of restoring Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the businesses' MRP applications leveraged Microsoft SQL Server, which needs Windows AD for security authorization to the data.
- Windows Active Directory
- Microsoft Exchange
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery on essential servers. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find local OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers and laptops to recover mail information. A not too old off-line backup of the businesses financials/ERP software made them able to restore these essential applications back servicing users. Although a large amount of work still had to be done to recover completely from the Ryuk event, core systems were returned to operations rapidly:
"For the most part, the production manufacturing operation never missed a beat and we delivered all customer orders."
Over the next couple of weeks key milestones in the recovery project were made through close collaboration between Progent team members and the customer:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Server containing more than four million archived messages was spun up and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were completely functional.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the desktops and laptops were being used by staff.
"Much of what went on those first few days is nearly entirely a fog for me, but my team will not soon forget the commitment all of the team put in to give us our business back. I've utilized Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This event was a life saver."
A possible business extinction catastrophe was evaded by hard-working experts, a wide range of knowledge, and tight teamwork. Although in post mortem the ransomware penetration described here should have been blocked with advanced cyber security solutions and recognized best practices, user and IT administrator education, and appropriate security procedures for data protection and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has proven experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for making it so I could get some sleep after we got through the most critical parts. Everyone did an incredible job, and if any of your team is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Garland a portfolio of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to uncover new variants of ransomware that can get past legacy signature-based anti-virus solutions.
For Garland 24x7x365 Crypto Cleanup Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to manage the complete malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services, a portfolio of offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and enable non-disruptive backup and rapid recovery of important files, applications, images, plus VMs. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, user mistakes, malicious insiders, or software bugs. Managed services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security vendors to deliver web-based management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating complex management processes, ProSight WAN Watch can cut hours off common chores like network mapping, expanding your network, locating devices that require important updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT management personnel and your assigned Progent consultant so that all potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to a different hosting environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis technology to defend endpoints as well as physical and virtual servers against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. Progent ASM services protect on-premises and cloud resources and offers a unified platform to address the entire threat lifecycle including blocking, infiltration detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Call Desk: Support Desk Managed Services
Progent's Help Desk managed services permit your IT staff to outsource Support Desk services to Progent or divide activity for Service Desk support transparently between your in-house network support staff and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a transparent supplement to your core IT support team. Client interaction with the Help Desk, provision of support, issue escalation, trouble ticket generation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether issues are taken care of by your corporate support resources, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of all sizes a flexible and affordable solution for assessing, validating, scheduling, implementing, and documenting updates to your dynamic information system. Besides maximizing the protection and functionality of your computer environment, Progent's patch management services free up time for your in-house IT staff to concentrate on more strategic projects and activities that derive the highest business value from your network. Read more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Android, and other personal devices. Using 2FA, whenever you log into a secured online account and give your password you are requested to confirm who you are on a unit that only you possess and that uses a different network channel. A wide range of out-of-band devices can be used for this second means of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You may designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication services.