Crypto-Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with additional as yet unnamed malware, not only do encryption of online critical data but also infect many available system backups. Information replicated to cloud environments can also be ransomed. In a vulnerable system, this can render automated restore operations impossible and basically knocks the network back to zero.
Getting back services and information following a ransomware attack becomes a sprint against the clock as the targeted organization fights to contain the damage, cleanup the crypto-ransomware, and restore business-critical activity. Since ransomware requires time to spread, attacks are usually launched during nights and weekends, when successful attacks are likely to take longer to recognize. This compounds the difficulty of promptly assembling and coordinating a qualified response team.
Progent provides an assortment of support services for securing organizations from ransomware events. These include team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security gateways with artificial intelligence capabilities from SentinelOne to identify and extinguish day-zero threats automatically. Progent also offers the services of expert crypto-ransomware recovery engineers with the talent and commitment to re-deploy a compromised system as urgently as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware invasion, even paying the ransom in cryptocurrency does not ensure that distant criminals will provide the codes to unencrypt any of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The fallback is to setup from scratch the vital components of your IT environment. Absent the availability of complete data backups, this requires a broad range of IT skills, professional team management, and the capability to work 24x7 until the recovery project is completed.
For two decades, Progent has provided certified expert IT services for companies across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience provides Progent the skills to rapidly ascertain important systems and re-organize the remaining pieces of your Information Technology environment following a ransomware attack and rebuild them into an operational system.
Progent's ransomware team of experts has top notch project management applications to coordinate the complicated restoration process. Progent knows the urgency of acting rapidly and in concert with a customer's management and Information Technology resources to prioritize tasks and to get essential systems back online as soon as humanly possible.
Customer Story: A Successful Ransomware Virus Restoration
A client contacted Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored cybercriminals, suspected of adopting algorithms exposed from America's NSA organization. Ryuk goes after specific organizations with limited tolerance for disruption and is one of the most lucrative incarnations of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with about 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom (in excess of $200K) and praying for the best, but in the end reached out to Progent.
"I can't tell you enough in regards to the care Progent provided us throughout the most stressful period of (our) businesses survival. We most likely would have paid the cybercriminals except for the confidence the Progent group gave us. That you could get our messaging and critical applications back sooner than seven days was beyond my wildest dreams. Every single expert I talked with or e-mailed at Progent was totally committed on getting us back online and was working breakneck pace to bail us out."
Progent worked hand in hand the customer to rapidly identify and assign priority to the key services that had to be addressed to make it possible to continue company functions:
- Windows Active Directory
- Exchange Server
- Accounting/MRP
To begin, Progent followed Anti-virus penetration mitigation best practices by halting lateral movement and clearing infected systems. Progent then started the process of rebuilding Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the client's MRP system used Microsoft SQL Server, which requires Active Directory for access to the information.
In less than 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then completed reinstallations and storage recovery of needed applications. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Offline Data Files) on team workstations and laptops to recover email information. A recent off-line backup of the businesses accounting/ERP software made it possible to return these required applications back servicing users. Although significant work needed to be completed to recover completely from the Ryuk virus, critical services were restored rapidly:
"For the most part, the assembly line operation showed little impact and we delivered all customer deliverables."
Throughout the following few weeks key milestones in the recovery process were completed through tight collaboration between Progent consultants and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Server with over four million historical messages was restored to operations and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were completely restored.
- A new Palo Alto 850 security appliance was set up.
- Nearly all of the user desktops were back into operation.
"So much of what was accomplished in the early hours is nearly entirely a blur for me, but I will not soon forget the commitment all of your team accomplished to help get our company back. I've been working with Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This time was a life saver."
Conclusion
A possible company-ending disaster was averted due to top-tier professionals, a broad spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware incident detailed here would have been identified and disabled with current security solutions and NIST Cybersecurity Framework best practices, staff training, and well thought out incident response procedures for data backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we made it over the first week. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is on me!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Skokie a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to uncover new variants of ransomware that can evade legacy signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight ASM protects local and cloud resources and provides a unified platform to address the complete malware attack progression including protection, detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also assist you to install and test a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with advanced backup/restore software providers to produce ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and allow transparent backup and rapid recovery of important files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to provide centralized control and world-class protection for all your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and keeps most threats from reaching your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper level of analysis for incoming email. For outgoing email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating tedious management processes, ProSight WAN Watch can cut hours off common chores like network mapping, expanding your network, finding appliances that need critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that all looming issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based machine learning technology to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which easily get by traditional signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to address the complete malware attack progression including filtering, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Call Center: Support Desk Managed Services
Progent's Help Center services permit your IT staff to outsource Call Center services to Progent or split responsibilities for Service Desk support transparently between your internal support team and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your core support resources. Client interaction with the Help Desk, provision of support services, issue escalation, trouble ticket creation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether issues are resolved by your in-house network support group, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Patch Management Services
Progent's support services for patch management offer organizations of all sizes a flexible and affordable solution for assessing, validating, scheduling, implementing, and tracking updates to your dynamic IT network. Besides optimizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT staff to concentrate on more strategic projects and tasks that deliver the highest business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a protected online account and give your password you are requested to verify your identity on a device that only you have and that is accessed using a different network channel. A wide selection of devices can be utilized for this second form of authentication such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can register several validation devices. For more information about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of real-time management reporting plug-ins designed to work with the leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Skokie Crypto Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.