Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become an escalating cyberplague that presents an extinction-level threat for organizations unprepared for an assault. Different iterations of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional unnamed malware, not only encrypt online data but also infiltrate many accessible system backups. Files synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can make automated restore operations impossible and effectively sets the network back to square one.
Getting back applications and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted organization fights to stop the spread, cleanup the ransomware, and resume enterprise-critical operations. Because crypto-ransomware takes time to move laterally, assaults are frequently launched during weekends and nights, when penetrations typically take more time to uncover. This compounds the difficulty of promptly assembling and orchestrating a knowledgeable mitigation team.
Progent provides a range of support services for protecting enterprises from ransomware penetrations. These include user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with AI capabilities from SentinelOne to discover and quarantine new cyber threats rapidly. Progent also can provide the services of seasoned ransomware recovery professionals with the skills and commitment to rebuild a breached system as quickly as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that merciless criminals will return the codes to decipher all your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The fallback is to re-install the key components of your Information Technology environment. Absent access to complete system backups, this requires a broad range of skill sets, professional project management, and the ability to work 24x7 until the recovery project is done.
For twenty years, Progent has offered expert Information Technology services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience affords Progent the capability to rapidly ascertain important systems and organize the remaining pieces of your network system following a ransomware event and assemble them into a functioning network.
Progent's ransomware group has state-of-the-art project management applications to orchestrate the complex restoration process. Progent appreciates the importance of working quickly and together with a client's management and IT team members to prioritize tasks and to put key systems back on-line as fast as humanly possible.
Customer Story: A Successful Ransomware Incident Response
A customer escalated to Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, suspected of adopting approaches exposed from the U.S. NSA organization. Ryuk goes after specific organizations with limited room for operational disruption and is among the most lucrative iterations of crypto-ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk penetration had brought down all essential operations and manufacturing processes. The majority of the client's system backups had been on-line at the time of the attack and were encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and praying for the best, but in the end made the decision to use Progent.
"I cannot thank you enough about the expertise Progent gave us during the most critical time of (our) company's life. We would have paid the cybercriminals if not for the confidence the Progent team gave us. That you could get our messaging and important applications back faster than 1 week was incredible. Every single expert I got help from or e-mailed at Progent was laser focused on getting us working again and was working at all hours to bail us out."
Progent worked together with the client to rapidly assess and prioritize the mission critical applications that needed to be restored to make it possible to restart company operations:
- Microsoft Active Directory
- E-Mail
- Accounting and Manufacturing Software
To start, Progent followed Anti-virus penetration mitigation best practices by halting the spread and removing active viruses. Progent then began the work of rebuilding Microsoft AD, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's accounting and MRP applications utilized Microsoft SQL, which depends on Windows AD for authentication to the databases.
In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then initiated reinstallations and storage recovery of the most important servers. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers in order to recover email information. A recent off-line backup of the businesses accounting software made them able to return these essential services back available to users. Although significant work needed to be completed to recover fully from the Ryuk attack, essential services were recovered quickly:
"For the most part, the production line operation showed little impact and we made all customer deliverables."
Over the next month important milestones in the restoration process were completed in close collaboration between Progent consultants and the client:
- In-house web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical messages was brought online and accessible to users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory Control capabilities were fully restored.
- A new Palo Alto Networks 850 firewall was deployed.
- Ninety percent of the desktops and laptops were operational.
"A lot of what went on in the early hours is nearly entirely a haze for me, but my team will not forget the countless hours each of you put in to help get our company back. I've utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."
Conclusion
A potential business extinction catastrophe was averted with dedicated experts, a broad spectrum of knowledge, and close teamwork. Although in analyzing the event afterwards the ransomware penetration described here would have been identified and blocked with current cyber security systems and ISO/IEC 27001 best practices, staff education, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), I'm grateful for allowing me to get rested after we got past the most critical parts. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is my treat!"
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Long Beach a variety of online monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete threat lifecycle including filtering, detection, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection services deliver economical multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and allow transparent backup and rapid restoration of vital files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user error, malicious insiders, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to provide web-based control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further layer of inspection for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, track, enhance and debug their connectivity appliances such as routers, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always updated, captures and manages the configuration of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding appliances that need critical software patches, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that any potential problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior analysis technology to defend endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including filtering, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Help Center: Help Desk Managed Services
Progent's Help Center services permit your information technology group to offload Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your in-house support team and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a transparent supplement to your core support resources. End user access to the Service Desk, delivery of technical assistance, problem escalation, ticket generation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your internal support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Call Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide organizations of all sizes a flexible and cost-effective solution for assessing, testing, scheduling, applying, and tracking updates to your ever-evolving IT system. Besides maximizing the security and reliability of your IT network, Progent's patch management services allow your in-house IT staff to concentrate on more strategic projects and tasks that derive the highest business value from your network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Android, and other personal devices. With 2FA, when you log into a secured online account and give your password you are asked to verify your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be used as this second form of authentication including a smartphone or wearable, a hardware token, a landline telephone, etc. You may designate several verification devices. For more information about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding family of real-time management reporting plug-ins designed to work with the industry's leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Long Beach Crypto Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.