Ransomware : Your Crippling IT Catastrophe
Ransomware has become an escalating cyberplague that represents an existential threat for businesses unprepared for an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as additional unnamed newcomers, not only do encryption of on-line critical data but also infiltrate many configured system backups. Information replicated to the cloud can also be ransomed. In a poorly architected data protection solution, this can make any restore operations useless and effectively sets the network back to zero.
Getting back online services and information after a ransomware outage becomes a sprint against the clock as the victim fights to contain, clear the crypto-ransomware, and resume business-critical operations. Because ransomware takes time to spread, attacks are usually launched on weekends and holidays, when successful penetrations tend to take more time to discover. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.
Progent makes available an assortment of solutions for securing organizations from crypto-ransomware penetrations. Among these are team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with artificial intelligence capabilities from SentinelOne to discover and suppress new cyber attacks intelligently. Progent in addition can provide the services of experienced ransomware recovery professionals with the talent and perseverance to re-deploy a breached network as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decrypt any of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The alternative is to re-install the essential parts of your IT environment. Without access to essential system backups, this calls for a broad complement of skills, professional team management, and the willingness to work 24x7 until the job is completed.
For twenty years, Progent has made available certified expert IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise gives Progent the capability to rapidly identify necessary systems and re-organize the surviving parts of your Information Technology system after a ransomware penetration and configure them into an operational network.
Progent's recovery group uses best of breed project management systems to coordinate the complicated recovery process. Progent appreciates the urgency of acting rapidly and together with a client's management and Information Technology resources to prioritize tasks and to get key services back on line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Incident Recovery
A small business contacted Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, suspected of adopting technology leaked from the United States NSA organization. Ryuk seeks specific businesses with little tolerance for disruption and is among the most profitable versions of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the attack and were eventually encrypted. The client considered paying the ransom (more than $200K) and hoping for the best, but in the end engaged Progent.
"I can't say enough in regards to the care Progent gave us throughout the most critical period of (our) businesses life. We had little choice but to pay the cybercriminals if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and critical applications back into operation sooner than 1 week was amazing. Each person I talked with or texted at Progent was urgently focused on getting us restored and was working non-stop to bail us out."
Progent worked with the client to quickly get our arms around and assign priority to the essential applications that had to be addressed to make it possible to resume company operations:
- Active Directory
- Electronic Messaging
- MRP System
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then began the process of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not work without AD, and the customer's accounting and MRP applications used Microsoft SQL Server, which needs Active Directory services for security authorization to the databases.
Within two days, Progent was able to restore Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of needed servers. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Offline Folder Files) on staff desktop computers and laptops in order to recover mail messages. A not too old off-line backup of the client's financials/MRP software made it possible to recover these required applications back online for users. Although significant work was left to recover completely from the Ryuk event, the most important services were recovered rapidly:
"For the most part, the assembly line operation showed little impact and we made all customer orders."
Throughout the next few weeks important milestones in the restoration project were accomplished in close cooperation between Progent team members and the customer:
- In-house web sites were restored without losing any data.
- The MailStore Exchange Server containing more than four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were completely functional.
- A new Palo Alto 850 firewall was brought on-line.
- 90% of the desktop computers were functioning as before the incident.
"Much of what was accomplished that first week is nearly entirely a haze for me, but my team will not forget the countless hours all of you put in to give us our company back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
Conclusion
A possible business-ending disaster was averted by results-oriented experts, a wide range of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident detailed here could have been disabled with current cyber security technology solutions and ISO/IEC 27001 best practices, user training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for letting me get rested after we got through the most critical parts. All of you did an incredible effort, and if any of your team is visiting the Chicago area, dinner is on me!"
To read or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Huntington Beach a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning technology to detect zero-day variants of ransomware that are able to evade traditional signature-based security solutions.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and provides a single platform to automate the entire threat progression including protection, detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device control, and web filtering through cutting-edge tools packaged within one agent accessible from a single control. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with leading backup technology companies to produce ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products automate and track your backup processes and allow transparent backup and fast recovery of important files, apps, system images, and VMs. ProSight DPS helps you avoid data loss caused by equipment breakdown, natural disasters, fire, malware such as ransomware, human error, malicious insiders, or application bugs. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security companies to provide web-based management and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper level of analysis for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, track, reconfigure and debug their networking hardware like routers, firewalls, and wireless controllers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming management activities, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating appliances that need important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT personnel and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to guard endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV products. Progent ASM services safeguard local and cloud resources and offers a single platform to automate the entire threat lifecycle including protection, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Call Center: Call Center Managed Services
Progent's Support Desk services allow your information technology team to offload Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house support group and Progent's nationwide pool of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your in-house IT support staff. End user interaction with the Help Desk, provision of support, problem escalation, ticket creation and tracking, efficiency metrics, and management of the service database are consistent regardless of whether issues are resolved by your core network support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide businesses of any size a flexible and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your dynamic information system. Besides optimizing the security and reliability of your IT network, Progent's software/firmware update management services permit your IT team to focus on line-of-business initiatives and activities that deliver maximum business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo authentication services utilize Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a secured application and enter your password you are asked to confirm who you are on a device that only you have and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized for this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate several verification devices. For more information about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time reporting utilities designed to integrate with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Huntington Beach Crypto Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.