Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that poses an existential threat for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and continue to inflict destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with frequent as yet unnamed malware, not only do encryption of online files but also infect many configured system backup. Data synched to cloud environments can also be ransomed. In a poorly designed data protection solution, this can render any recovery hopeless and basically knocks the datacenter back to zero.
Getting back online services and information after a ransomware outage becomes a race against the clock as the targeted business tries its best to stop the spread, eradicate the crypto-ransomware, and resume enterprise-critical activity. Due to the fact that crypto-ransomware needs time to move laterally, assaults are frequently sprung on weekends, when penetrations may take more time to detect. This compounds the difficulty of rapidly assembling and orchestrating a qualified mitigation team.
Progent makes available an assortment of solutions for securing enterprises from crypto-ransomware events. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with AI capabilities from SentinelOne to detect and disable zero-day cyber attacks rapidly. Progent also provides the services of veteran ransomware recovery consultants with the track record and perseverance to rebuild a breached environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
After a ransomware attack, paying the ransom in cryptocurrency does not ensure that criminal gangs will return the needed codes to decrypt any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The alternative is to re-install the essential parts of your IT environment. Absent access to full data backups, this requires a broad complement of skill sets, professional project management, and the capability to work 24x7 until the job is completed.
For twenty years, Progent has provided expert IT services for companies across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of expertise provides Progent the capability to quickly identify critical systems and consolidate the remaining pieces of your IT system following a ransomware event and rebuild them into a functioning network.
Progent's recovery group uses top notch project management systems to coordinate the sophisticated recovery process. Progent knows the importance of acting rapidly and in concert with a customer's management and IT team members to prioritize tasks and to get critical applications back on line as soon as possible.
Case Study: A Successful Ransomware Penetration Restoration
A business sought out Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting technology leaked from the U.S. NSA organization. Ryuk goes after specific companies with limited tolerance for operational disruption and is one of the most lucrative examples of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago and has around 500 workers. The Ryuk event had paralyzed all business operations and manufacturing processes. The majority of the client's backups had been online at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (more than $200K) and wishfully thinking for the best, but ultimately engaged Progent.
"I cannot say enough about the support Progent gave us during the most critical period of (our) company's existence. We would have paid the cyber criminals if it wasn't for the confidence the Progent team gave us. That you were able to get our messaging and production applications back in less than 1 week was incredible. Every single consultant I got help from or e-mailed at Progent was laser focused on getting our system up and was working day and night on our behalf."
Progent worked with the client to rapidly assess and assign priority to the critical services that had to be restored to make it possible to resume business functions:
- Active Directory (AD)
- Microsoft Exchange Server
- Financials/MRP
To begin, Progent adhered to Anti-virus event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the steps of restoring Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not function without AD, and the customer's financials and MRP software used Microsoft SQL, which depends on Active Directory for security authorization to the database.
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then initiated rebuilding and storage recovery on the most important systems. All Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers to recover mail information. A not too old offline backup of the client's accounting systems made them able to recover these vital services back on-line. Although a lot of work needed to be completed to recover fully from the Ryuk damage, critical services were returned to operations rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer sales."
Throughout the next couple of weeks critical milestones in the restoration process were accomplished in tight cooperation between Progent engineers and the customer:
- In-house web sites were restored without losing any data.
- The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
- CRM/Orders/Invoicing/AP/AR/Inventory Control functions were fully operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the user desktops and notebooks were operational.
"A huge amount of what occurred in the early hours is mostly a blur for me, but I will not soon forget the dedication each of your team put in to give us our business back. I've trusted Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This event was the most impressive ever."
Conclusion
A probable company-ending catastrophe was avoided due to top-tier professionals, a broad array of knowledge, and close collaboration. Although in hindsight the ransomware attack detailed here should have been identified and stopped with modern cyber security systems and recognized best practices, user training, and appropriate security procedures for backup and applying software patches, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for allowing me to get rested after we made it past the initial push. Everyone did an fabulous effort, and if anyone is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Harrisburg a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate modern AI capability to uncover zero-day variants of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to manage the complete threat progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you prove compliance with legal and industry data protection standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also help your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your backup operations and allow transparent backup and rapid recovery of critical files, applications, system images, plus VMs. ProSight DPS lets you recover from data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, human error, malicious insiders, or application glitches. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to provide centralized management and world-class protection for all your email traffic. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further level of inspection for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, track, reconfigure and debug their connectivity hardware such as routers, firewalls, and access points as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration information of almost all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating complex management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding appliances that require important updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT staff and your assigned Progent consultant so that all potential problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate up to half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to guard endpoints and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. Progent ASM services protect local and cloud-based resources and provides a unified platform to automate the entire malware attack progression including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Help Center services permit your information technology team to offload Call Center services to Progent or split responsibilities for Service Desk support transparently between your internal network support resources and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless supplement to your internal network support group. Client interaction with the Service Desk, provision of support services, escalation, ticket generation and tracking, efficiency measurement, and maintenance of the service database are cohesive whether issues are resolved by your corporate IT support organization, by Progent, or both. Find out more about Progent's outsourced/shared Call Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the security and functionality of your computer network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic initiatives and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With 2FA, whenever you log into a secured application and give your password you are asked to verify who you are on a device that only you have and that uses a different network channel. A wide selection of out-of-band devices can be used for this added form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may register several verification devices. To find out more about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of in-depth reporting plug-ins designed to work with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Harrisburg 24/7 Crypto-Ransomware Removal Help, reach out to Progent at 800-462-8800 or go to Contact Progent.