Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as more unnamed viruses, not only encrypt on-line files but also infiltrate any available system backup. Data synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can render automated recovery impossible and basically sets the entire system back to zero.
Restoring programs and information following a ransomware intrusion becomes a sprint against time as the victim struggles to stop the spread, remove the virus, and resume enterprise-critical operations. Because crypto-ransomware needs time to move laterally, penetrations are usually launched on weekends, when successful penetrations may take longer to recognize. This compounds the difficulty of rapidly marshalling and orchestrating an experienced response team.
Progent provides a variety of solutions for securing organizations from crypto-ransomware events. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning capabilities from SentinelOne to discover and quarantine zero-day threats automatically. Progent also can provide the services of expert ransomware recovery engineers with the talent and commitment to restore a breached network as quickly as possible.
Progent's Ransomware Recovery Services
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The other path is to re-install the mission-critical components of your IT environment. Without the availability of complete data backups, this requires a broad complement of skill sets, top notch team management, and the willingness to work 24x7 until the recovery project is complete.
For decades, Progent has provided expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of expertise provides Progent the skills to rapidly understand important systems and integrate the surviving parts of your Information Technology environment after a ransomware penetration and rebuild them into a functioning network.
Progent's security team utilizes powerful project management tools to coordinate the complicated recovery process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get the most important applications back on-line as fast as possible.
Case Study: A Successful Ransomware Penetration Response
A small business contacted Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state criminal gangs, suspected of using algorithms leaked from the U.S. NSA organization. Ryuk targets specific businesses with limited tolerance for operational disruption and is one of the most profitable versions of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago and has about 500 employees. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
"I cannot speak enough in regards to the care Progent gave us throughout the most stressful period of (our) company's life. We may have had to pay the cybercriminals except for the confidence the Progent team afforded us. The fact that you could get our e-mail and production servers back on-line quicker than 1 week was beyond my wildest dreams. Each staff member I interacted with or communicated with at Progent was laser focused on getting our company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the client to rapidly get our arms around and assign priority to the essential services that needed to be addressed to make it possible to resume company operations:
- Active Directory (AD)
- E-Mail
- Accounting and Manufacturing Software
To begin, Progent followed Anti-virus penetration response best practices by halting lateral movement and disinfecting systems. Progent then began the process of restoring Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customer's financials and MRP applications used Microsoft SQL Server, which needs Active Directory for security authorization to the information.
Within 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery of essential systems. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Offline Folder Files) on staff desktop computers in order to recover email information. A recent off-line backup of the customer's accounting/MRP systems made them able to recover these vital services back available to users. Although a lot of work still had to be done to recover completely from the Ryuk damage, core systems were recovered rapidly:
"For the most part, the production line operation was never shut down and we delivered all customer shipments."
During the following couple of weeks important milestones in the restoration project were made in tight cooperation between Progent team members and the client:
- Internal web applications were restored with no loss of data.
- The MailStore Exchange Server exceeding four million archived messages was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were fully recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the desktops and laptops were back into operation.
"Much of what occurred in the initial days is nearly entirely a blur for me, but my management will not soon forget the commitment each and every one of you put in to help get our company back. I've been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."
Conclusion
A likely business-killing disaster was averted with hard-working experts, a wide array of IT skills, and close teamwork. Although upon completion of forensics the ransomware virus incident described here would have been stopped with current cyber security technology solutions and recognized best practices, staff education, and appropriate incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we made it through the first week. All of you did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Lubbock a variety of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover new strains of crypto-ransomware that can escape detection by traditional signature-based security solutions.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to keep your network running efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management personnel and your Progent consultant so any potential issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based platform for monitoring and managing your client-server infrastructure by offering an environment for streamlining common time-consuming tasks. These can include health checking, update management, automated repairs, endpoint configuration, backup and recovery, A/V protection, remote access, built-in and custom scripts, asset inventory, endpoint status reports, and debugging help. If ProSight LAN Watch with NinjaOne RMM spots a serious incident, it sends an alert to your specified IT management personnel and your Progent technical consultant so that emerging issues can be fixed before they interfere with your network. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, track, reconfigure and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management processes, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding appliances that need important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is an expanding family of in-depth management reporting tools created to work with the top ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a family of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup processes and enable transparent backup and rapid recovery of critical files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software glitches. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to provide web-based control and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo supports one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected application and enter your password you are asked to confirm your identity via a device that only you have and that is accessed using a different network channel. A wide selection of out-of-band devices can be used for this added means of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. To learn more about Duo identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
- Outsourced/Co-managed Service Desk: Help Desk Managed Services
Progent's Support Center managed services allow your IT group to offload Help Desk services to Progent or split responsibilities for Help Desk services seamlessly between your internal network support resources and Progent's nationwide pool of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless supplement to your internal network support organization. Client access to the Service Desk, provision of support, issue escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your in-house network support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Help Desk services.
- Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to defend endpoints as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching AV products. Progent ASM services protect on-premises and cloud resources and provides a single platform to manage the entire threat lifecycle including filtering, detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time spent searching for critical information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.
- Progent's Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer businesses of any size a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking updates to your ever-evolving IT system. Besides optimizing the security and reliability of your IT environment, Progent's patch management services allow your IT staff to concentrate on more strategic initiatives and activities that derive maximum business value from your information network. Read more about Progent's software/firmware update management support services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-matching AV products. ProSight ASM protects local and cloud resources and provides a single platform to address the complete threat progression including filtering, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also assist you to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
For Lubbock 24x7x365 Ransomware Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.