Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a modern cyberplague that poses an extinction-level danger for businesses unprepared for an attack. Multiple generations of ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict damage. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as additional as yet unnamed newcomers, not only encrypt online information but also infect many available system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can render automated restore operations useless and basically knocks the entire system back to square one.
Restoring programs and information after a ransomware attack becomes a race against time as the targeted organization tries its best to stop the spread, cleanup the crypto-ransomware, and resume mission-critical operations. Because ransomware takes time to spread, assaults are often launched at night, when successful attacks are likely to take more time to identify. This multiplies the difficulty of rapidly assembling and organizing a knowledgeable response team.
Progent makes available a variety of help services for securing organizations from ransomware attacks. Among these are team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with machine learning capabilities from SentinelOne to discover and disable zero-day threats intelligently. Progent in addition can provide the services of veteran ransomware recovery consultants with the track record and commitment to re-deploy a compromised system as urgently as possible.
Progent's Ransomware Recovery Services
Following a ransomware invasion, sending the ransom in cryptocurrency does not ensure that merciless criminals will return the codes to decrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The other path is to piece back together the mission-critical components of your Information Technology environment. Without the availability of essential data backups, this requires a wide range of skill sets, top notch project management, and the capability to work 24x7 until the job is over.
For twenty years, Progent has offered professional IT services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience affords Progent the ability to rapidly identify critical systems and integrate the remaining components of your network system after a ransomware event and assemble them into a functioning system.
Progent's recovery team deploys state-of-the-art project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of acting rapidly and in concert with a client's management and IT resources to prioritize tasks and to put the most important systems back on-line as fast as possible.
Case Study: A Successful Ransomware Virus Response
A customer hired Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state criminal gangs, possibly adopting technology leaked from the United States National Security Agency. Ryuk attacks specific organizations with little ability to sustain operational disruption and is among the most profitable iterations of ransomware malware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200K) and praying for the best, but ultimately engaged Progent.
"I cannot speak enough in regards to the support Progent provided us throughout the most stressful time of (our) businesses existence. We had little choice but to pay the Hackers if it wasn't for the confidence the Progent team afforded us. That you were able to get our messaging and important applications back online in less than seven days was amazing. Each expert I talked with or messaged at Progent was laser focused on getting us back on-line and was working 24/7 on our behalf."
Progent worked hand in hand the client to quickly understand and prioritize the most important services that needed to be recovered in order to restart business operations:
- Windows Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
To begin, Progent followed ransomware event response industry best practices by isolating and disinfecting systems. Progent then began the steps of rebuilding Microsoft AD, the heart of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not work without AD, and the businesses' financials and MRP system leveraged SQL Server, which needs Windows AD for security authorization to the database.
Within two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery on critical servers. All Microsoft Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Folder Files) on user PCs in order to recover email information. A not too old offline backup of the customer's manufacturing systems made it possible to recover these vital services back servicing users. Although a large amount of work remained to recover completely from the Ryuk damage, the most important systems were restored rapidly:
"For the most part, the assembly line operation did not miss a beat and we made all customer orders."
Over the following few weeks key milestones in the recovery project were made in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were returned to operation without losing any data.
- The MailStore Exchange Server containing more than 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
- A new Palo Alto Networks 850 firewall was installed.
- Most of the user desktops were fully operational.
"A huge amount of what went on during the initial response is nearly entirely a fog for me, but my team will not soon forget the care each and every one of your team put in to give us our business back. I have entrusted Progent for the past 10 years, possibly more, and each time Progent has come through and delivered as promised. This situation was the most impressive ever."
Conclusion
A likely business-ending catastrophe was evaded through the efforts of hard-working experts, a wide range of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware virus attack detailed here would have been prevented with up-to-date security technology and NIST Cybersecurity Framework best practices, staff education, and properly executed incident response procedures for data protection and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we made it over the initial fire. Everyone did an incredible job, and if any of your team is visiting the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Hartford a variety of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to detect new strains of crypto-ransomware that can evade traditional signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to address the complete threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device management, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your company's specific requirements and that helps you prove compliance with government and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with leading backup/restore technology providers to create ProSight Data Protection Services, a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your backup operations and allow non-disruptive backup and rapid recovery of critical files/folders, applications, system images, and virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, monitor, enhance and debug their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always current, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating complex management activities, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, locating devices that require important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT personnel and your Progent consultant so that all looming problems can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes next generation behavior analysis tools to guard endpoint devices as well as physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. Progent ASM services safeguard local and cloud-based resources and offers a single platform to address the entire malware attack progression including filtering, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Help Desk managed services permit your information technology staff to outsource Help Desk services to Progent or divide responsibilities for Help Desk services transparently between your in-house support resources and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent extension of your internal support team. End user access to the Service Desk, provision of support, issue escalation, trouble ticket generation and updates, performance measurement, and management of the support database are cohesive whether incidents are taken care of by your corporate IT support staff, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Call Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer organizations of any size a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services permit your in-house IT team to concentrate on more strategic projects and tasks that deliver the highest business value from your network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured application and give your password you are asked to confirm your identity via a device that only you have and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized for this second form of ID validation such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For more information about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of in-depth reporting utilities created to integrate with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues like inconsistent support follow-through or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-7 Hartford CryptoLocker Cleanup Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.