Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for years and continue to cause destruction. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as additional as yet unnamed viruses, not only do encryption of on-line data files but also infect any available system restores and backups. Information synched to cloud environments can also be ransomed. In a vulnerable environment, this can make automated restore operations useless and basically sets the datacenter back to square one.
Recovering programs and data following a crypto-ransomware intrusion becomes a sprint against the clock as the victim struggles to stop lateral movement, clear the ransomware, and restore enterprise-critical operations. Due to the fact that crypto-ransomware requires time to spread, assaults are often sprung on weekends, when penetrations typically take longer to identify. This compounds the difficulty of quickly marshalling and coordinating a capable mitigation team.
Progent makes available a variety of support services for protecting businesses from crypto-ransomware penetrations. Among these are staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to identify and extinguish zero-day cyber threats quickly. Progent also offers the assistance of seasoned crypto-ransomware recovery engineers with the skills and perseverance to rebuild a breached environment as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the codes to decrypt all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The alternative is to re-install the essential parts of your IT environment. Absent the availability of complete system backups, this requires a wide complement of skills, top notch team management, and the ability to work continuously until the job is done.
For twenty years, Progent has provided expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience affords Progent the ability to quickly determine important systems and organize the remaining parts of your computer network system after a crypto-ransomware penetration and rebuild them into a functioning network.
Progent's ransomware team uses powerful project management applications to orchestrate the complicated recovery process. Progent understands the urgency of acting rapidly and together with a client's management and IT resources to prioritize tasks and to get essential applications back on line as fast as humanly possible.
Case Study: A Successful Ransomware Virus Restoration
A client contacted Progent after their company was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state hackers, suspected of adopting strategies leaked from America's NSA organization. Ryuk attacks specific businesses with little ability to sustain disruption and is among the most lucrative instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with about 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom (more than $200,000) and hoping for the best, but ultimately engaged Progent.
"I cannot speak enough in regards to the help Progent gave us during the most fearful time of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent team gave us. The fact that you could get our e-mail system and key servers back online in less than 1 week was earth shattering. Every single staff member I interacted with or texted at Progent was totally committed on getting us back on-line and was working day and night to bail us out."
Progent worked hand in hand the client to quickly identify and prioritize the most important systems that needed to be restored in order to resume company operations:
- Microsoft Active Directory
- Email
- Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes penetration response best practices by halting the spread and performing virus removal steps. Progent then started the process of restoring Windows Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the customer's MRP applications leveraged Microsoft SQL Server, which depends on Windows AD for authentication to the information.
Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery of critical systems. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Outlook Email Offline Data Files) on user PCs and laptops to recover email messages. A not too old offline backup of the customer's accounting/MRP software made them able to restore these required applications back available to users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, critical services were returned to operations rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we made all customer deliverables."
Over the following couple of weeks key milestones in the recovery process were accomplished through close cooperation between Progent consultants and the customer:
- Self-hosted web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server with over four million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were completely operational.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Most of the user workstations were functioning as before the incident.
"So much of what happened in the initial days is nearly entirely a blur for me, but my management will not forget the care each and every one of the team put in to give us our business back. I've trusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This event was a stunning achievement."
Conclusion
A probable business extinction catastrophe was avoided due to results-oriented experts, a broad spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware incident described here would have been disabled with up-to-date cyber security solutions and security best practices, user education, and appropriate security procedures for information protection and applying software patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we made it over the initial push. Everyone did an impressive job, and if anyone is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Barra da Tijuca a range of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence capability to detect zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that allows you prove compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service. ProSight DPS services automate and track your data backup processes and allow non-disruptive backup and rapid recovery of critical files, applications, images, plus VMs. ProSight DPS helps your business avoid data loss resulting from hardware failures, natural disasters, fire, malware like ransomware, user error, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver web-based management and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a further layer of inspection for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to diagram, track, optimize and troubleshoot their networking hardware such as routers, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating tedious network management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding devices that require critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your network running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management personnel and your Progent consultant so all looming problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time thrown away searching for critical information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior machine learning tools to guard endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-based AV products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a single platform to manage the complete threat lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
Progent's Help Desk managed services permit your IT team to outsource Call Center services to Progent or divide responsibilities for Help Desk services seamlessly between your internal network support staff and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth supplement to your core IT support staff. Client interaction with the Help Desk, provision of support services, escalation, trouble ticket generation and tracking, performance metrics, and maintenance of the service database are consistent regardless of whether incidents are resolved by your internal support group, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer organizations of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. Besides maximizing the protection and functionality of your IT environment, Progent's patch management services allow your IT team to focus on more strategic initiatives and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation with iOS, Android, and other personal devices. With 2FA, when you log into a secured application and give your password you are requested to verify your identity via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used for this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may register multiple verification devices. To find out more about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing suite of in-depth reporting plug-ins designed to work with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Barra da Tijuca 24-Hour Crypto-Ransomware Recovery Help, contact Progent at 800-462-8800 or go to Contact Progent.