Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus daily as yet unnamed malware, not only encrypt online information but also infiltrate any available system backups. Files replicated to the cloud can also be corrupted. In a vulnerable data protection solution, this can render any restore operations impossible and effectively sets the datacenter back to square one.
Getting back on-line applications and data following a ransomware intrusion becomes a sprint against time as the targeted organization struggles to stop the spread, remove the virus, and restore business-critical operations. Since ransomware requires time to replicate, penetrations are often launched during weekends and nights, when successful penetrations in many cases take more time to notice. This multiplies the difficulty of quickly mobilizing and orchestrating a capable mitigation team.
Progent makes available a variety of services for protecting organizations from crypto-ransomware events. These include staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with machine learning capabilities from SentinelOne to identify and extinguish day-zero cyber threats automatically. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the skills and perseverance to rebuild a compromised network as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decipher any of your files. Kaspersky determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The fallback is to piece back together the key components of your Information Technology environment. Without access to full information backups, this calls for a wide range of skill sets, professional team management, and the ability to work non-stop until the recovery project is done.
For two decades, Progent has provided certified expert IT services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience affords Progent the skills to efficiently ascertain critical systems and re-organize the surviving parts of your IT environment following a ransomware penetration and configure them into a functioning network.
Progent's security group utilizes powerful project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of working swiftly and in concert with a customer's management and IT staff to prioritize tasks and to get critical systems back online as fast as possible.
Client Story: A Successful Ransomware Incident Response
A small business contacted Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, suspected of using technology exposed from the United States National Security Agency. Ryuk goes after specific organizations with limited ability to sustain operational disruption and is one of the most profitable examples of ransomware malware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago with around 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.
"I can't thank you enough in regards to the care Progent provided us throughout the most critical time of (our) businesses existence. We may have had to pay the hackers behind this attack if it wasn't for the confidence the Progent team provided us. The fact that you could get our messaging and essential applications back on-line quicker than seven days was earth shattering. Each expert I got help from or communicated with at Progent was urgently focused on getting our system up and was working day and night on our behalf."
Progent worked with the customer to rapidly get our arms around and assign priority to the most important services that had to be restored to make it possible to restart business functions:
- Windows Active Directory
- Exchange Server
- Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event response industry best practices by halting the spread and performing virus removal steps. Progent then initiated the work of bringing back online Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's MRP software leveraged SQL Server, which requires Windows AD for access to the information.
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and storage recovery of needed applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on various desktop computers in order to recover mail data. A recent off-line backup of the customer's accounting/MRP systems made them able to restore these required programs back online for users. Although major work was left to recover totally from the Ryuk virus, core services were returned to operations rapidly:
"For the most part, the production line operation did not miss a beat and we produced all customer orders."
Over the next month important milestones in the restoration project were accomplished through tight collaboration between Progent consultants and the client:
- Self-hosted web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent functional.
- A new Palo Alto 850 security appliance was set up and programmed.
- 90% of the desktop computers were being used by staff.
"A huge amount of what happened those first few days is mostly a haze for me, but our team will not soon forget the countless hours each of your team put in to help get our business back. I've trusted Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This event was the most impressive ever."
Conclusion
A possible enterprise-killing disaster was averted due to top-tier experts, a broad spectrum of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here could have been identified and blocked with current security technology solutions and security best practices, team education, and appropriate incident response procedures for data protection and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get some sleep after we got over the first week. All of you did an amazing effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Indianapolis a range of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence technology to detect zero-day strains of crypto-ransomware that can evade legacy signature-based security products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based AV tools. ProSight ASM safeguards local and cloud resources and provides a single platform to address the entire threat progression including blocking, detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with advanced backup software providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup processes and allow non-disruptive backup and rapid restoration of critical files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, human mistakes, malicious insiders, or application glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security companies to provide centralized control and comprehensive protection for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, optimize and debug their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that require critical updates, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your network running efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent consultant so all potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can save as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis tools to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching AV products. Progent ASM services protect local and cloud resources and provides a single platform to automate the entire threat progression including protection, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Support Center managed services permit your information technology team to outsource Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house support team and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth extension of your in-house IT support resources. End user access to the Help Desk, provision of support, problem escalation, ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are taken care of by your core support resources, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Desk services.
- Patch Management: Patch Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a versatile and affordable solution for assessing, validating, scheduling, implementing, and tracking updates to your dynamic information network. In addition to maximizing the protection and functionality of your computer network, Progent's patch management services free up time for your IT team to focus on line-of-business initiatives and activities that derive the highest business value from your information network. Learn more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports one-tap identity confirmation with iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a secured application and enter your password you are requested to verify who you are on a device that only you possess and that uses a separate network channel. A wide range of devices can be utilized as this added means of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To find out more about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of real-time and in-depth reporting plug-ins designed to work with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Indianapolis 24x7 Crypto-Ransomware Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.