Ransomware : Your Worst IT Nightmare
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations unprepared for an attack. Different iterations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict harm. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus frequent unnamed viruses, not only do encryption of on-line data but also infiltrate many accessible system protection. Information synchronized to off-site disaster recovery sites can also be held hostage. In a poorly architected data protection solution, it can render automated restoration hopeless and basically sets the entire system back to zero.
Getting back on-line services and data following a ransomware attack becomes a sprint against the clock as the targeted business tries its best to stop the spread, clear the crypto-ransomware, and resume enterprise-critical operations. Since ransomware takes time to spread, attacks are usually launched during nights and weekends, when successful attacks are likely to take longer to identify. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable response team.
Progent provides a variety of help services for protecting organizations from ransomware events. Among these are team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security appliances with AI capabilities from SentinelOne to identify and quarantine zero-day cyber attacks quickly. Progent in addition offers the services of expert ransomware recovery engineers with the talent and commitment to reconstruct a compromised network as rapidly as possible.
Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware invasion, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed keys to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The fallback is to setup from scratch the key parts of your Information Technology environment. Without the availability of essential information backups, this calls for a broad range of skills, professional team management, and the willingness to work continuously until the task is done.
For twenty years, Progent has provided certified expert IT services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience provides Progent the capability to knowledgably understand necessary systems and re-organize the remaining components of your computer network system following a ransomware event and configure them into an operational system.
Progent's security team has best of breed project management tools to coordinate the complicated restoration process. Progent knows the urgency of acting swiftly and in concert with a client's management and IT team members to assign priority to tasks and to put the most important systems back online as fast as possible.
Customer Story: A Successful Ransomware Attack Restoration
A client hired Progent after their company was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, suspected of using approaches leaked from the United States NSA organization. Ryuk goes after specific companies with little tolerance for disruption and is one of the most lucrative versions of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area and has around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (more than $200K) and praying for good luck, but in the end engaged Progent.
"I cannot say enough in regards to the help Progent provided us during the most stressful period of (our) company's life. We would have paid the cyber criminals behind the attack except for the confidence the Progent team gave us. The fact that you could get our e-mail system and production applications back on-line sooner than seven days was amazing. Each consultant I got help from or communicated with at Progent was laser focused on getting us back online and was working 24/7 to bail us out."
Progent worked hand in hand the client to rapidly determine and prioritize the essential elements that had to be addressed to make it possible to resume company functions:
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
To begin, Progent followed ransomware penetration mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the steps of recovering Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange email will not work without AD, and the businesses' financials and MRP software leveraged Microsoft SQL, which depends on Active Directory for security authorization to the databases.
Within two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then performed setup and hard drive recovery of mission critical systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Off-Line Folder Files) on user PCs in order to recover email information. A not too old offline backup of the businesses accounting systems made it possible to return these vital applications back online. Although major work needed to be completed to recover completely from the Ryuk event, essential services were returned to operations quickly:
"For the most part, the production operation showed little impact and we produced all customer shipments."
Throughout the next few weeks important milestones in the restoration process were made through close cooperation between Progent engineers and the client:
- Self-hosted web sites were restored without losing any information.
- The MailStore Exchange Server with over 4 million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully restored.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Nearly all of the desktops and laptops were functioning as before the incident.
"A huge amount of what went on during the initial response is mostly a blur for me, but I will not soon forget the dedication each of your team accomplished to give us our company back. I have utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This situation was a Herculean accomplishment."
Conclusion
A possible enterprise-killing catastrophe was avoided by top-tier experts, a broad array of IT skills, and tight collaboration. Although in retrospect the ransomware attack detailed here would have been identified and disabled with modern cyber security systems and recognized best practices, staff training, and well thought out security procedures for data backup and proper patching controls, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get some sleep after we made it past the initial fire. Everyone did an incredible effort, and if anyone is in the Chicago area, dinner is on me!"
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Glendale a range of online monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of crypto-ransomware that can evade legacy signature-based anti-virus products.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system operating efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT staff and your Progent consultant so that all potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-driven solution for monitoring and managing your network, server, and desktop devices by providing an environment for performing common time-consuming tasks. These include health checking, update management, automated repairs, endpoint setup, backup and recovery, anti-virus protection, remote access, standard and custom scripts, resource inventory, endpoint status reporting, and troubleshooting assistance. When ProSight LAN Watch with NinjaOne RMM spots a serious incident, it transmits an alarm to your specified IT staff and your assigned Progent technical consultant so that potential problems can be taken care of before they interfere with productivity. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, enhance and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, finding appliances that need critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of real-time and in-depth reporting plug-ins designed to work with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and enable transparent backup and fast recovery of important files, apps, images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security vendors to deliver web-based management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of analysis for incoming email. For outbound email, the local gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Android, and other personal devices. Using Duo 2FA, when you log into a protected application and enter your password you are requested to confirm your identity via a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this second means of authentication including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register several verification devices. To learn more about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- Outsourced/Co-managed Help Center: Support Desk Managed Services
Progent's Call Center services allow your information technology group to outsource Help Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house support team and Progent's nationwide pool of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent extension of your in-house network support resources. Client access to the Service Desk, provision of support services, issue escalation, ticket creation and updates, efficiency metrics, and management of the support database are cohesive whether issues are resolved by your internal support group, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Help Center services.
- Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior machine learning technology to guard endpoints and servers and VMs against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-matching AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to manage the complete malware attack progression including blocking, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect data about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate as much as half of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management provide organizations of all sizes a flexible and affordable alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic IT system. In addition to optimizing the security and reliability of your computer network, Progent's software/firmware update management services free up time for your IT team to focus on more strategic projects and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management support services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus products. ProSight ASM protects local and cloud resources and offers a unified platform to manage the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your company's specific needs and that allows you prove compliance with government and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.
For Glendale 24/7 Ransomware Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.