Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyberplague that poses an existential threat for organizations vulnerable to an assault. Different versions of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent unnamed malware, not only do encryption of online data files but also infect all accessible system backup. Information replicated to the cloud can also be ransomed. In a vulnerable data protection solution, this can make any restoration impossible and basically sets the entire system back to square one.
Restoring programs and data following a ransomware event becomes a race against time as the targeted organization fights to contain the damage and clear the crypto-ransomware and to resume business-critical operations. Because crypto-ransomware requires time to spread, assaults are usually sprung during weekends and nights, when attacks tend to take longer to notice. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.
Progent offers a variety of services for securing businesses from crypto-ransomware events. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with AI technology from SentinelOne to discover and disable day-zero threats automatically. Progent also offers the assistance of veteran crypto-ransomware recovery engineers with the skills and perseverance to reconstruct a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a crypto-ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decipher any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the critical elements of your Information Technology environment. Absent access to essential data backups, this requires a wide range of skills, top notch team management, and the ability to work continuously until the job is finished.
For twenty years, Progent has provided expert Information Technology services for companies in Uniondale and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise provides Progent the capability to rapidly ascertain important systems and organize the remaining parts of your IT environment following a crypto-ransomware penetration and configure them into an operational network.
Progent's security group deploys state-of-the-art project management applications to coordinate the complex recovery process. Progent knows the urgency of acting swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to put the most important services back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A client engaged Progent after their company was taken over by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk seeks specific businesses with limited room for disruption and is among the most profitable versions of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago with about 500 workers. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's backups had been on-line at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but in the end reached out to Progent.
"I can't thank you enough in regards to the care Progent gave us during the most stressful period of (our) company's life. We most likely would have paid the cybercriminals if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and production applications back on-line sooner than one week was beyond my wildest dreams. Every single consultant I worked with or messaged at Progent was absolutely committed on getting our company operational and was working 24/7 to bail us out."
Progent worked together with the customer to quickly understand and prioritize the most important systems that needed to be addressed to make it possible to restart business functions:
To begin, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the process of rebuilding Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the customer's accounting and MRP system utilized Microsoft SQL, which needs Windows AD for security authorization to the data.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery on mission critical systems. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on user PCs and laptops in order to recover mail information. A recent off-line backup of the client's accounting systems made them able to return these essential applications back online for users. Although major work still had to be done to recover totally from the Ryuk virus, core services were recovered rapidly:
"For the most part, the production line operation showed little impact and we delivered all customer orders."
During the next few weeks key milestones in the recovery process were achieved in tight cooperation between Progent consultants and the customer:
- Internal web applications were brought back up without losing any data.
- The MailStore Server containing more than 4 million archived messages was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control modules were completely recovered.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Most of the desktops and laptops were operational.
"Much of what went on those first few days is mostly a blur for me, but we will not forget the countless hours each of the team accomplished to give us our company back. I've been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."
A possible business extinction disaster was avoided with top-tier experts, a broad range of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware attack detailed here would have been prevented with current cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), I'm grateful for allowing me to get some sleep after we made it over the most critical parts. Everyone did an incredible effort, and if any of your team is around the Chicago area, dinner is on me!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Uniondale a range of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern AI capability to uncover new variants of ransomware that are able to get past legacy signature-based anti-virus solutions.
For Uniondale 24x7x365 Crypto-Ransomware Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and offers a single platform to manage the complete threat lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you prove compliance with legal and industry data protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with advanced backup software providers to create ProSight Data Protection Services, a selection of offerings that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and allow transparent backup and fast restoration of vital files, applications, images, plus VMs. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural calamities, fire, malware such as ransomware, user error, malicious insiders, or software bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to deliver web-based management and comprehensive security for your inbound and outbound email. The powerful structure of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and debug their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that require important updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT staff and your assigned Progent consultant so that all looming issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis tools to defend endpoints and physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the entire malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
Progent's Support Center services allow your IT team to outsource Help Desk services to Progent or split responsibilities for support services transparently between your internal support staff and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth extension of your corporate network support organization. User access to the Help Desk, delivery of technical assistance, issue escalation, trouble ticket generation and updates, efficiency measurement, and management of the service database are cohesive regardless of whether incidents are taken care of by your in-house support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Call Desk services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. In addition to optimizing the protection and functionality of your IT network, Progent's patch management services permit your IT staff to concentrate on line-of-business projects and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Android, and other personal devices. With 2FA, whenever you sign into a protected online account and give your password you are requested to verify who you are on a unit that only you have and that is accessed using a separate network channel. A broad range of devices can be used for this second form of ID validation including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may register several validation devices. To find out more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication services for access security.