Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyberplague that represents an existential danger for businesses vulnerable to an assault. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus frequent unnamed newcomers, not only encrypt on-line data but also infiltrate many configured system restores and backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can render automated restore operations useless and effectively knocks the network back to square one.
Retrieving services and information following a ransomware outage becomes a race against time as the targeted organization tries its best to stop the spread, clear the crypto-ransomware, and restore enterprise-critical activity. Since ransomware needs time to move laterally, assaults are frequently launched during nights and weekends, when penetrations in many cases take longer to uncover. This compounds the difficulty of promptly mobilizing and orchestrating a capable mitigation team.
Progent offers an assortment of solutions for securing organizations from ransomware penetrations. Among these are team education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security gateways with AI technology from SentinelOne to detect and quarantine new threats automatically. Progent also provides the services of seasoned ransomware recovery consultants with the skills and commitment to reconstruct a compromised environment as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, sending the ransom in cryptocurrency does not ensure that cyber hackers will respond with the codes to unencrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom can be in the millions. The other path is to re-install the mission-critical components of your Information Technology environment. Absent the availability of complete data backups, this requires a wide complement of skill sets, well-coordinated team management, and the willingness to work continuously until the recovery project is complete.
For twenty years, Progent has offered certified expert IT services for companies across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience affords Progent the skills to rapidly ascertain necessary systems and re-organize the surviving components of your network environment following a ransomware event and assemble them into a functioning network.
Progent's recovery team of experts utilizes powerful project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of working swiftly and in concert with a customer's management and IT staff to assign priority to tasks and to put essential applications back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Penetration Response
A customer engaged Progent after their company was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting algorithms leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with limited tolerance for operational disruption and is among the most lucrative incarnations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago with about 500 employees. The Ryuk intrusion had brought down all company operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but ultimately engaged Progent.
"I cannot tell you enough in regards to the care Progent gave us during the most critical time of (our) businesses existence. We may have had to pay the cyber criminals if not for the confidence the Progent team afforded us. The fact that you could get our e-mail and essential applications back online faster than a week was incredible. Each expert I interacted with or e-mailed at Progent was laser focused on getting my company operational and was working all day and night to bail us out."
Progent worked hand in hand the client to rapidly get our arms around and prioritize the key areas that needed to be recovered in order to continue departmental operations:
- Microsoft Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes penetration response best practices by isolating and clearing infected systems. Progent then started the task of recovering Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businesses' accounting and MRP system leveraged Microsoft SQL, which needs Active Directory for access to the database.
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then completed reinstallations and hard drive recovery on the most important servers. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Data Files) on various PCs to recover mail information. A recent offline backup of the customer's accounting software made them able to restore these vital programs back online for users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, essential systems were restored rapidly:
"For the most part, the manufacturing operation survived unscathed and we produced all customer shipments."
Throughout the next couple of weeks important milestones in the restoration process were completed through close cooperation between Progent team members and the customer:
- In-house web sites were returned to operation without losing any information.
- The MailStore Exchange Server containing more than four million historical emails was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were fully functional.
- A new Palo Alto 850 firewall was set up and programmed.
- Ninety percent of the desktop computers were operational.
"Much of what happened that first week is nearly entirely a haze for me, but we will not soon forget the commitment each of the team accomplished to help get our company back. I've been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."
Conclusion
A likely business extinction catastrophe was avoided due to results-oriented professionals, a wide range of knowledge, and tight teamwork. Although in post mortem the crypto-ransomware incident detailed here would have been disabled with advanced cyber security technology and recognized best practices, staff education, and well thought out security procedures for information backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has proven experience in ransomware virus defense, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get some sleep after we made it past the initial push. Everyone did an amazing job, and if any of your team is in the Chicago area, dinner is on me!"
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Stamford a range of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning capability to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT staff and your Progent consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Desktops
ProSight LAN Watch with NinjaOne RMM software delivers a unified, cloud-based solution for monitoring and managing your network, server, and desktop devices by offering an environment for performing common time-consuming tasks. These can include health checking, patch management, automated remediation, endpoint configuration, backup and recovery, anti-virus response, remote access, standard and custom scripts, resource inventory, endpoint status reports, and troubleshooting support. If ProSight LAN Watch with NinjaOne RMM spots a serious problem, it sends an alert to your designated IT personnel and your Progent technical consultant so emerging issues can be taken care of before they interfere with productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.
- ProSight WAN Watch: Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, track, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, finding devices that need important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth management reporting utilities designed to integrate with the top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your backup operations and enable non-disruptive backup and fast restoration of important files, apps, images, and VMs. ProSight DPS lets you protect against data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to deliver centralized management and world-class protection for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of analysis for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to verify who you are on a unit that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be used for this added means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. For more information about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- Outsourced/Co-managed Call Center: Call Center Managed Services
Progent's Support Desk managed services permit your information technology group to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support resources and Progent's nationwide pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a smooth extension of your core network support staff. User interaction with the Help Desk, provision of support, issue escalation, trouble ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent whether incidents are taken care of by your corporate network support organization, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Help Desk services.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior machine learning tools to guard endpoint devices and servers and VMs against modern malware attacks like ransomware and email phishing, which routinely escape legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to automate the entire threat progression including protection, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can save up to half of time spent trying to find vital information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide organizations of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. In addition to maximizing the protection and reliability of your IT network, Progent's patch management services permit your IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Read more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the complete malware attack progression including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through leading-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
For 24x7 Stamford Crypto-Ransomware Recovery Services, reach out to Progent at 800-462-8800 or go to Contact Progent.