Ransomware : Your Feared IT Disaster
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses vulnerable to an assault. Multiple generations of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict harm. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as additional unnamed viruses, not only do encryption of on-line critical data but also infiltrate any configured system restores and backups. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can make any recovery impossible and effectively knocks the datacenter back to zero.
Getting back services and information after a ransomware event becomes a race against time as the victim struggles to stop the spread and clear the ransomware and to resume enterprise-critical activity. Since ransomware requires time to replicate, assaults are usually launched during nights and weekends, when penetrations typically take more time to discover. This multiplies the difficulty of promptly assembling and organizing a capable response team.
Progent has an assortment of support services for securing organizations from ransomware penetrations. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with artificial intelligence technology from SentinelOne to detect and quarantine zero-day threats rapidly. Progent also provides the assistance of experienced ransomware recovery consultants with the talent and perseverance to rebuild a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the mission-critical elements of your IT environment. Without access to complete data backups, this calls for a broad range of IT skills, professional project management, and the willingness to work continuously until the job is completed.
For decades, Progent has made available certified expert Information Technology services for companies in Brasília and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience gives Progent the ability to rapidly determine necessary systems and integrate the remaining pieces of your computer network environment following a ransomware attack and assemble them into a functioning system.
Progent's recovery group has top notch project management applications to orchestrate the complicated restoration process. Progent understands the urgency of acting quickly and in concert with a customerďż˝s management and Information Technology team members to assign priority to tasks and to get essential services back online as soon as possible.
Customer Story: A Successful Ransomware Intrusion Response
A small business contacted Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, possibly using strategies leaked from Americaďż˝s National Security Agency. Ryuk goes after specific companies with little or no ability to sustain disruption and is among the most profitable incarnations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing processes. Most of the client's data protection had been online at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but in the end called Progent.
"I cannot thank you enough about the expertise Progent provided us during the most stressful period of (our) companyďż˝s survival. We would have paid the Hackers if not for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and important applications back in less than seven days was beyond my wildest dreams. Each expert I spoke to or messaged at Progent was absolutely committed on getting us back online and was working non-stop on our behalf."
Progent worked together with the client to quickly identify and prioritize the most important systems that needed to be recovered to make it possible to resume departmental functions:
To get going, Progent adhered to Anti-virus penetration response industry best practices by halting the spread and cleaning up infected systems. Progent then started the steps of bringing back online Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Exchange email will not operate without AD, and the customerďż˝s accounting and MRP software utilized Microsoft SQL Server, which needs Windows AD for access to the information.
- Active Directory
- Exchange Server
- MRP System
Within 48 hours, Progent was able to recover Active Directory to its pre-attack state. Progent then performed reinstallations and storage recovery on mission critical applications. All Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Off-Line Folder Files) on user desktop computers and laptops to recover mail messages. A recent off-line backup of the businesses accounting/MRP systems made it possible to return these vital services back on-line. Although a large amount of work remained to recover fully from the Ryuk damage, critical services were restored quickly:
"For the most part, the production operation survived unscathed and we produced all customer orders."
Throughout the following few weeks critical milestones in the restoration process were completed in close collaboration between Progent consultants and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory capabilities were 100 percent operational.
- A new Palo Alto 850 firewall was set up and programmed.
- 90% of the user desktops were being used by staff.
"A lot of what transpired during the initial response is nearly entirely a fog for me, but we will not forget the commitment each and every one of you put in to give us our company back. I have trusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This event was a Herculean accomplishment."
A possible business-ending disaster was averted due to results-oriented professionals, a wide spectrum of knowledge, and close teamwork. Although in retrospect the ransomware attack detailed here should have been stopped with modern security technology solutions and security best practices, user education, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get rested after we made it through the most critical parts. Everyone did an incredible job, and if any of your team is around the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Brasília a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services include modern machine learning technology to uncover new variants of ransomware that are able to get past legacy signature-based anti-virus solutions.
For Brasília 24-7 Ransomware Repair Consulting, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and provides a unified platform to address the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also help your company to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with leading backup software providers to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and allow non-disruptive backup and fast recovery of vital files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security companies to deliver web-based control and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating complex management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, locating appliances that require critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent’s server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT personnel and your Progent engineering consultant so all potential problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you’re making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based machine learning technology to defend endpoints and physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely evade legacy signature-based AV tools. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including protection, identification, containment, cleanup, and forensics. Key features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Call Center: Support Desk Managed Services
Progent's Support Center managed services allow your information technology group to offload Support Desk services to Progent or split activity for support services seamlessly between your in-house network support group and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your in-house IT support team. End user interaction with the Service Desk, provision of support services, problem escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are resolved by your in-house network support resources, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Service Desk services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving information system. In addition to optimizing the security and reliability of your computer network, Progent's software/firmware update management services allow your in-house IT staff to focus on more strategic initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, when you sign into a protected application and enter your password you are requested to confirm who you are on a unit that only you possess and that uses a separate network channel. A broad selection of out-of-band devices can be utilized as this second means of ID validation including a smartphone or wearable, a hardware token, a landline phone, etc. You can register multiple validation devices. For more information about Duo identity authentication services, refer to Duo MFA two-factor authentication services.