Ransomware : Your Worst IT Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses poorly prepared for an assault. Versions of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to cause havoc. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily as yet unnamed viruses, not only do encryption of on-line information but also infect any configured system protection. Information replicated to the cloud can also be corrupted. In a poorly architected environment, this can make automatic restore operations useless and effectively sets the entire system back to zero.
Getting back on-line services and information after a ransomware outage becomes a race against the clock as the targeted business fights to contain the damage, eradicate the virus, and resume mission-critical activity. Because crypto-ransomware takes time to move laterally, attacks are usually sprung on weekends, when successful attacks are likely to take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.
Progent makes available an assortment of support services for securing enterprises from ransomware attacks. These include staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security appliances with machine learning technology from SentinelOne to detect and disable day-zero cyber attacks quickly. Progent also provides the assistance of veteran ransomware recovery engineers with the skills and commitment to restore a breached system as urgently as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will respond with the codes to decipher all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions. The other path is to piece back together the vital elements of your IT environment. Absent access to full data backups, this calls for a wide complement of IT skills, professional team management, and the willingness to work 24x7 until the task is complete.
For decades, Progent has made available certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience affords Progent the skills to quickly identify critical systems and consolidate the surviving pieces of your IT environment following a crypto-ransomware event and rebuild them into an operational system.
Progent's security team has best of breed project management tools to coordinate the complex recovery process. Progent knows the importance of acting swiftly and in unison with a customer's management and IT team members to assign priority to tasks and to get essential services back online as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business contacted Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored criminal gangs, possibly using techniques exposed from the United States National Security Agency. Ryuk targets specific organizations with limited ability to sustain operational disruption and is one of the most lucrative incarnations of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (more than $200,000) and praying for the best, but in the end brought in Progent.
"I can't thank you enough in regards to the support Progent gave us throughout the most critical time of (our) businesses existence. We most likely would have paid the cybercriminals if not for the confidence the Progent experts provided us. That you were able to get our e-mail system and key servers back on-line quicker than five days was beyond my wildest dreams. Every single staff member I got help from or messaged at Progent was absolutely committed on getting us back on-line and was working day and night to bail us out."
Progent worked with the customer to rapidly identify and assign priority to the key systems that needed to be recovered to make it possible to resume departmental operations:
- Microsoft Active Directory
- Microsoft Exchange Email
- Accounting/MRP
To get going, Progent adhered to AV/Malware Processes event mitigation best practices by isolating and performing virus removal steps. Progent then started the work of recovering Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the client's accounting and MRP system utilized Microsoft SQL, which depends on Active Directory for authentication to the information.
Within 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and hard drive recovery of critical servers. All Exchange ties and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Folder Files) on user workstations and laptops in order to recover mail data. A recent offline backup of the client's manufacturing systems made them able to restore these essential applications back online. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, core systems were restored rapidly:
"For the most part, the production operation ran fairly normal throughout and we delivered all customer shipments."
During the next few weeks critical milestones in the recovery project were made in close collaboration between Progent team members and the client:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server with over four million historical messages was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the user desktops were operational.
"A lot of what happened that first week is mostly a fog for me, but I will not forget the urgency all of your team accomplished to give us our company back. I've trusted Progent for at least 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was no exception but maybe more Herculean."
Conclusion
A possible enterprise-killing catastrophe was dodged with top-tier experts, a wide spectrum of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware incident described here would have been identified and blocked with current cyber security technology solutions and security best practices, team training, and well designed security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for making it so I could get some sleep after we made it through the initial fire. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Fargo a range of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize modern artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to address the entire threat progression including protection, detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge technologies packaged within a single agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your organization's unique requirements and that helps you demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has worked with advanced backup technology providers to create ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products manage and track your data backup operations and enable transparent backup and fast restoration of critical files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized management and comprehensive protection for your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of inspection for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, monitor, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are always current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, finding devices that need important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT staff and your assigned Progent consultant so all potential issues can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to guard endpoints and servers and VMs against modern malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based anti-virus products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to address the complete malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
Progent's Help Center services enable your IT team to offload Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal network support team and Progent's extensive roster of IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent supplement to your corporate network support staff. End user access to the Help Desk, delivery of technical assistance, escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your corporate IT support group, by Progent's team, or both. Find out more about Progent's outsourced/shared Call Desk services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. In addition to optimizing the protection and reliability of your computer environment, Progent's software/firmware update management services allow your IT staff to focus on more strategic projects and activities that derive maximum business value from your information network. Learn more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication services utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Android, and other out-of-band devices. With 2FA, when you sign into a secured online account and enter your password you are asked to confirm who you are on a device that only you have and that is accessed using a different network channel. A wide range of devices can be used as this second form of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can register several verification devices. For more information about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time and in-depth reporting utilities designed to integrate with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Fargo Crypto-Ransomware Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.