Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses unprepared for an attack. Different iterations of crypto-ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as daily unnamed viruses, not only encrypt online data files but also infiltrate all accessible system backup. Files synchronized to cloud environments can also be ransomed. In a vulnerable system, it can make any restoration impossible and basically knocks the entire system back to square one.
Retrieving applications and information after a crypto-ransomware intrusion becomes a race against the clock as the targeted business fights to stop the spread and eradicate the crypto-ransomware and to restore business-critical activity. Because ransomware requires time to replicate, assaults are usually launched during weekends and nights, when successful attacks may take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating a capable response team.
Progent makes available an assortment of services for protecting enterprises from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security gateways with AI technology from SentinelOne to identify and extinguish zero-day threats intelligently. Progent in addition offers the assistance of experienced ransomware recovery professionals with the talent and commitment to re-deploy a breached environment as urgently as possible.
Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed keys to decrypt any or all of your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to re-install the critical components of your Information Technology environment. Without the availability of full system backups, this requires a broad complement of skills, professional team management, and the ability to work continuously until the job is completed.
For twenty years, Progent has provided professional Information Technology services for businesses in Bellevue and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the skills to rapidly understand critical systems and consolidate the remaining components of your Information Technology system following a ransomware event and rebuild them into a functioning network.
Progent's security group uses state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent knows the importance of working swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to get the most important services back on-line as fast as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Restoration
A small business escalated to Progent after their company was attacked by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored cybercriminals, possibly adopting technology leaked from America's NSA organization. Ryuk targets specific businesses with little room for operational disruption and is one of the most profitable instances of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with about 500 employees. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the time of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for the best, but ultimately engaged Progent.
"I cannot thank you enough about the care Progent gave us during the most fearful period of (our) businesses life. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group afforded us. That you were able to get our messaging and key servers back into operation quicker than a week was something I thought impossible. Each expert I worked with or messaged at Progent was amazingly focused on getting our company operational and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly identify and assign priority to the key services that needed to be addressed in order to restart company functions:
To get going, Progent adhered to AV/Malware Processes event mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then began the work of rebuilding Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the customer's accounting and MRP software leveraged SQL Server, which needs Windows AD for access to the data.
- Windows Active Directory
- Electronic Mail
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery of needed applications. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover mail data. A not too old offline backup of the client's financials/MRP systems made it possible to return these essential programs back online. Although major work was left to recover fully from the Ryuk virus, critical systems were recovered quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer deliverables."
Throughout the following month critical milestones in the restoration process were made through tight collaboration between Progent engineers and the customer:
- In-house web applications were restored without losing any information.
- The MailStore Exchange Server containing more than 4 million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100 percent operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Most of the user PCs were back into operation.
"Much of what occurred in the initial days is nearly entirely a fog for me, but I will not forget the urgency all of the team accomplished to help get our company back. I have entrusted Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
A potential enterprise-killing catastrophe was evaded due to results-oriented professionals, a wide spectrum of technical expertise, and tight collaboration. Although in hindsight the crypto-ransomware attack described here could have been identified and prevented with advanced security systems and recognized best practices, team education, and well thought out incident response procedures for information protection and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), I'm grateful for allowing me to get rested after we got over the initial push. Everyone did an incredible job, and if any of your guys is in the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Bellevue a range of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate next-generation machine learning technology to detect new strains of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus products.
For Bellevue 24x7 CryptoLocker Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to automate the complete threat progression including filtering, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering through leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent attention. Progent can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with leading backup software companies to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup processes and allow non-disruptive backup and fast recovery of important files, apps, images, plus VMs. ProSight DPS helps your business recover from data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed services in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to deliver web-based control and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of analysis for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, enhance and troubleshoot their connectivity appliances like routers and switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that network maps are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends alerts when issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, finding appliances that need critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system running at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT personnel and your Progent engineering consultant so that all potential problems can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes next generation behavior machine learning technology to guard endpoints as well as servers and VMs against new malware attacks such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus products. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Call Desk: Help Desk Managed Services
Progent's Help Center services enable your information technology team to offload Help Desk services to Progent or split responsibilities for Service Desk support transparently between your internal network support team and Progent's extensive roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth supplement to your in-house support organization. Client interaction with the Help Desk, delivery of technical assistance, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive regardless of whether issues are resolved by your core IT support organization, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for patch management offer organizations of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the security and reliability of your computer network, Progent's patch management services allow your in-house IT team to concentrate on more strategic projects and activities that derive maximum business value from your information network. Find out more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. Using 2FA, when you log into a secured application and give your password you are requested to verify your identity on a device that only you have and that is accessed using a separate network channel. A wide selection of devices can be used as this added form of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can designate multiple verification devices. For details about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services for access security.