Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus frequent as yet unnamed newcomers, not only encrypt online data files but also infect many configured system restores and backups. Data replicated to the cloud can also be ransomed. In a poorly architected system, it can render any recovery useless and effectively knocks the network back to square one.
Recovering services and information after a ransomware attack becomes a race against time as the targeted business fights to stop lateral movement, cleanup the virus, and resume enterprise-critical operations. Since ransomware takes time to replicate, attacks are usually launched at night, when successful penetrations tend to take more time to notice. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable mitigation team.
Progent makes available a range of services for protecting enterprises from ransomware events. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security appliances with machine learning technology from SentinelOne to identify and disable new cyber threats intelligently. Progent in addition can provide the services of experienced crypto-ransomware recovery professionals with the track record and perseverance to rebuild a compromised network as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the codes to decrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The other path is to piece back together the critical parts of your IT environment. Without access to essential information backups, this calls for a wide complement of IT skills, professional team management, and the capability to work 24x7 until the recovery project is over.
For twenty years, Progent has provided expert IT services for businesses across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise gives Progent the skills to efficiently identify critical systems and consolidate the remaining components of your IT environment following a ransomware event and rebuild them into an operational system.
Progent's security group utilizes top notch project management applications to orchestrate the complex recovery process. Progent understands the urgency of working swiftly and in concert with a customer's management and IT resources to assign priority to tasks and to get the most important services back online as soon as possible.
Business Case Study: A Successful Crypto-Ransomware Virus Response
A business engaged Progent after their network system was attacked by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored hackers, possibly using algorithms exposed from America's National Security Agency. Ryuk seeks specific businesses with limited tolerance for disruption and is one of the most lucrative examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with about 500 staff members. The Ryuk event had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for the best, but ultimately called Progent.
"I can't tell you enough about the help Progent gave us during the most fearful time of (our) company's existence. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent experts provided us. The fact that you could get our e-mail system and production servers back faster than seven days was incredible. Each expert I interacted with or communicated with at Progent was absolutely committed on getting us back on-line and was working at all hours to bail us out."
Progent worked together with the customer to rapidly get our arms around and assign priority to the critical services that had to be restored in order to continue business functions:
- Windows Active Directory
- Email
- MRP System
To begin, Progent followed Anti-virus event response best practices by isolating and clearing up compromised systems. Progent then began the task of recovering Windows Active Directory, the heart of enterprise networks built on Microsoft technology. Exchange messaging will not operate without AD, and the client's financials and MRP software used Microsoft SQL Server, which requires Active Directory for access to the database.
Within 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then completed rebuilding and hard drive recovery on key servers. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was able to find intact OST files (Outlook Email Off-Line Data Files) on various workstations and laptops in order to recover email information. A recent off-line backup of the businesses financials/ERP software made them able to return these required programs back online for users. Although a large amount of work was left to recover totally from the Ryuk virus, the most important services were returned to operations quickly:
"For the most part, the production line operation was never shut down and we produced all customer shipments."
Throughout the next few weeks important milestones in the restoration project were made in tight cooperation between Progent engineers and the customer:
- In-house web sites were restored with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million historical messages was restored to operations and available for users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory modules were 100% operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- 90% of the user desktops and notebooks were being used by staff.
"A huge amount of what transpired in the initial days is mostly a fog for me, but my team will not forget the care all of the team accomplished to help get our company back. I've been working together with Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This event was a stunning achievement."
Conclusion
A probable business-killing disaster was averted through the efforts of dedicated professionals, a broad range of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus attack detailed here could have been identified and prevented with advanced security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we made it through the initial fire. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Indianapolis a range of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of ransomware that can escape detection by legacy signature-based security solutions.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT personnel and your assigned Progent engineering consultant so that any potential issues can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven platform for managing your client-server infrastructure by providing tools for performing common tedious tasks. These include health monitoring, patch management, automated remediation, endpoint deployment, backup and restore, anti-virus protection, secure remote access, standard and custom scripts, asset inventory, endpoint profile reports, and debugging assistance. If ProSight LAN Watch with NinjaOne RMM uncovers a serious problem, it sends an alert to your specified IT management personnel and your Progent technical consultant so emerging issues can be fixed before they interfere with productivity. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map, monitor, enhance and debug their networking hardware like routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating devices that need critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure management services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing family of real-time and in-depth management reporting tools created to integrate with the industry's leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup software companies to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup processes and enable non-disruptive backup and rapid recovery of important files/folders, apps, images, and virtual machines. ProSight DPS helps you recover from data loss resulting from hardware failures, natural calamities, fire, malware such as ransomware, user error, malicious insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to provide web-based management and world-class protection for your email traffic. The hybrid structure of Email Guard managed service combines cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of analysis for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a protected application and give your password you are requested to verify your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be utilized for this added form of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You may designate several validation devices. To learn more about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
- Outsourced/Co-managed Call Center: Support Desk Managed Services
Progent's Call Center services enable your IT group to outsource Help Desk services to Progent or divide activity for support services transparently between your internal network support staff and Progent's extensive pool of IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a transparent extension of your in-house support team. Client access to the Service Desk, provision of technical assistance, problem escalation, ticket creation and updates, efficiency measurement, and management of the service database are consistent regardless of whether incidents are resolved by your in-house network support resources, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Call Desk services.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to guard endpoint devices as well as servers and VMs against new malware attacks such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management provide businesses of all sizes a flexible and cost-effective solution for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving information system. Besides optimizing the security and reliability of your computer environment, Progent's patch management services allow your in-house IT staff to focus on line-of-business initiatives and activities that deliver maximum business value from your network. Learn more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
For Indianapolis 24x7 Crypto Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.