Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses of all sizes unprepared for an assault. Different iterations of crypto-ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still cause havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily unnamed viruses, not only do encryption of online data files but also infect many available system backups. Information synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, this can make automated restoration hopeless and effectively knocks the datacenter back to square one.
Restoring applications and data after a ransomware intrusion becomes a sprint against time as the victim struggles to contain the damage, clear the virus, and restore enterprise-critical operations. Because crypto-ransomware takes time to replicate, assaults are often sprung during nights and weekends, when attacks typically take more time to uncover. This multiplies the difficulty of quickly mobilizing and coordinating a qualified mitigation team.
Progent has a range of services for protecting businesses from crypto-ransomware events. Among these are team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence technology from SentinelOne to identify and extinguish zero-day cyber threats quickly. Progent in addition can provide the assistance of experienced ransomware recovery professionals with the skills and perseverance to restore a breached network as urgently as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware attack, even paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the keys to decrypt all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The other path is to setup from scratch the mission-critical parts of your Information Technology environment. Absent access to complete data backups, this calls for a broad range of IT skills, top notch team management, and the capability to work non-stop until the recovery project is done.
For decades, Progent has offered certified expert IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise provides Progent the skills to knowledgably determine necessary systems and organize the surviving parts of your computer network system following a crypto-ransomware event and rebuild them into a functioning network.
Progent's ransomware team utilizes powerful project management systems to orchestrate the complex restoration process. Progent understands the urgency of working swiftly and together with a customer's management and IT resources to prioritize tasks and to get critical systems back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Incident Response
A client hired Progent after their company was crashed by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, suspected of adopting approaches leaked from America's NSA organization. Ryuk attacks specific businesses with little room for operational disruption and is among the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has about 500 workers. The Ryuk attack had disabled all essential operations and manufacturing processes. Most of the client's system backups had been on-line at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and praying for good luck, but ultimately made the decision to use Progent.
"I cannot thank you enough about the support Progent provided us during the most critical time of (our) businesses existence. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent team afforded us. The fact that you could get our e-mail system and production applications back on-line quicker than five days was incredible. Each staff member I talked with or messaged at Progent was urgently focused on getting us operational and was working at all hours on our behalf."
Progent worked together with the customer to quickly assess and prioritize the most important systems that needed to be addressed to make it possible to restart departmental operations:
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
To get going, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the process of restoring Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businesses' MRP software used Microsoft SQL, which needs Windows AD for access to the database.
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and storage recovery on critical servers. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Data Files) on staff PCs and laptops to recover email messages. A not too old off-line backup of the businesses accounting/ERP systems made it possible to recover these required applications back on-line. Although significant work needed to be completed to recover fully from the Ryuk virus, essential services were returned to operations quickly:
"For the most part, the manufacturing operation showed little impact and we made all customer deliverables."
Throughout the next month important milestones in the restoration process were made in close collaboration between Progent consultants and the client:
- Internal web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were fully operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Ninety percent of the desktops and laptops were functioning as before the incident.
"Much of what went on in the initial days is nearly entirely a haze for me, but I will not soon forget the care each and every one of the team put in to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a stunning achievement."
Conclusion
A likely business extinction catastrophe was evaded with hard-working experts, a wide range of subject matter expertise, and tight teamwork. Although in hindsight the ransomware attack described here could have been prevented with modern security technology solutions and NIST Cybersecurity Framework best practices, team training, and appropriate security procedures for backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for allowing me to get rested after we made it through the first week. All of you did an incredible job, and if any of your team is in the Chicago area, dinner is my treat!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Stamford a range of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI technology to detect zero-day variants of ransomware that can get past legacy signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the entire threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools packaged within one agent managed from a single console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you demonstrate compliance with government and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent attention. Progent's consultants can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with leading backup software providers to create ProSight Data Protection Services (DPS), a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS products manage and track your backup processes and enable non-disruptive backup and fast restoration of critical files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss caused by hardware failures, natural disasters, fire, cyber attacks like ransomware, human error, malicious insiders, or application glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized management and comprehensive security for your inbound and outbound email. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, track, reconfigure and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating tedious network management activities, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that need important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management personnel and your Progent consultant so any potential issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can save up to 50% of time wasted looking for vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning technology to defend endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to manage the entire threat lifecycle including protection, identification, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Call Desk services permit your information technology staff to offload Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house network support staff and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent supplement to your in-house IT support group. User access to the Service Desk, delivery of technical assistance, problem escalation, ticket generation and updates, efficiency measurement, and management of the support database are consistent regardless of whether incidents are taken care of by your core support resources, by Progent, or both. Read more about Progent's outsourced/shared Help Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide organizations of any size a flexible and affordable solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. Besides optimizing the security and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to focus on line-of-business initiatives and activities that deliver the highest business value from your information network. Find out more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Android, and other personal devices. With 2FA, whenever you log into a secured application and enter your password you are asked to verify who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be utilized as this added means of authentication such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time management reporting plug-ins created to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Stamford Ransomware Removal Consulting, call Progent at 800-462-8800 or go to Contact Progent.