Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses vulnerable to an assault. Multiple generations of crypto-ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and still cause havoc. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent unnamed newcomers, not only do encryption of on-line data but also infiltrate many accessible system backup. Data synchronized to the cloud can also be corrupted. In a vulnerable environment, it can render automated restoration useless and effectively sets the datacenter back to square one.
Restoring programs and information after a crypto-ransomware event becomes a sprint against time as the victim tries its best to contain the damage and clear the virus and to restore mission-critical activity. Because ransomware needs time to replicate, assaults are usually launched on weekends and holidays, when successful attacks typically take longer to notice. This compounds the difficulty of promptly marshalling and organizing a knowledgeable mitigation team.
Progent has a range of help services for protecting businesses from ransomware attacks. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning capabilities from SentinelOne to detect and suppress new cyber threats automatically. Progent also offers the assistance of seasoned crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Restoration Services
After a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the keys to decrypt any or all of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the essential components of your Information Technology environment. Without access to complete data backups, this calls for a broad complement of skills, top notch team management, and the capability to work continuously until the recovery project is finished.
For decades, Progent has made available professional IT services for businesses in Baton Rouge and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably determine critical systems and organize the surviving parts of your computer network system following a ransomware penetration and rebuild them into a functioning network.
Progent's security team of experts has top notch project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of working quickly and in concert with a customer's management and IT resources to assign priority to tasks and to get critical services back on-line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Virus Response
A small business sought out Progent after their company was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, possibly using strategies exposed from the United States NSA organization. Ryuk attacks specific businesses with little or no ability to sustain disruption and is among the most profitable incarnations of ransomware viruses. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has around 500 employees. The Ryuk attack had frozen all company operations and manufacturing processes. The majority of the client's system backups had been online at the time of the attack and were destroyed. The client considered paying the ransom demand (more than $200K) and praying for the best, but in the end reached out to Progent.
"I cannot speak enough about the expertise Progent gave us throughout the most stressful period of (our) company's life. We most likely would have paid the cybercriminals if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and important servers back faster than five days was amazing. Every single expert I got help from or messaged at Progent was absolutely committed on getting us back online and was working non-stop on our behalf."
Progent worked hand in hand the client to quickly assess and prioritize the essential applications that had to be restored to make it possible to resume departmental operations:
To start, Progent adhered to Anti-virus event mitigation best practices by stopping the spread and removing active viruses. Progent then started the work of rebuilding Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the businesses' MRP applications used Microsoft SQL, which depends on Active Directory for authentication to the information.
- Windows Active Directory
- Electronic Mail
Within 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then completed setup and storage recovery on needed systems. All Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on various desktop computers in order to recover email information. A not too old off-line backup of the customer's manufacturing systems made it possible to return these essential services back online for users. Although significant work remained to recover totally from the Ryuk virus, core services were restored quickly:
"For the most part, the production line operation survived unscathed and we delivered all customer shipments."
Over the following month critical milestones in the restoration project were completed through close collaboration between Progent team members and the customer:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Server with over four million historical emails was brought on-line and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the desktop computers were operational.
"So much of what occurred in the early hours is mostly a haze for me, but we will not soon forget the urgency each and every one of you put in to help get our business back. I've trusted Progent for the past ten years, maybe more, and each time Progent has outperformed my expectations and delivered. This time was a Herculean accomplishment."
A potential business-killing disaster was avoided due to results-oriented experts, a wide range of technical expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here could have been identified and prevented with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well designed incident response procedures for information backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), I'm grateful for allowing me to get rested after we got over the first week. All of you did an impressive effort, and if anyone is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Baton Rouge a portfolio of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services utilize modern AI capability to detect new variants of ransomware that are able to get past traditional signature-based security solutions.
For Baton Rouge 24x7x365 Ransomware Recovery Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to manage the complete threat lifecycle including protection, identification, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also help your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has partnered with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and track your backup operations and enable non-disruptive backup and fast restoration of critical files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, human error, ill-intentioned insiders, or application glitches. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to deliver centralized management and world-class security for your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of analysis for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their networking hardware like routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and displays the configuration of almost all devices on your network, tracks performance, and generates notices when issues are detected. By automating tedious network management processes, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating devices that need critical updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system operating at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management personnel and your Progent engineering consultant so all potential issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based analysis tools to guard endpoint devices as well as servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Call Center: Call Center Managed Services
Progent's Help Desk managed services enable your information technology group to outsource Help Desk services to Progent or divide responsibilities for support services transparently between your in-house network support team and Progent's nationwide pool of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent supplement to your internal IT support group. User interaction with the Help Desk, provision of support services, escalation, trouble ticket creation and updates, efficiency metrics, and management of the service database are cohesive regardless of whether incidents are taken care of by your core network support staff, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Help Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer organizations of any size a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. In addition to maximizing the protection and functionality of your IT environment, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business projects and activities that deliver maximum business value from your information network. Find out more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo enables one-tap identity confirmation on iOS, Android, and other out-of-band devices. With 2FA, whenever you log into a secured application and give your password you are requested to confirm your identity via a device that only you have and that is accessed using a separate network channel. A broad selection of devices can be used as this added form of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate multiple verification devices. For more information about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services for access security.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing line of real-time and in-depth management reporting plug-ins created to work with the industry's top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.