Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations unprepared for an attack. Different iterations of ransomware such as CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still inflict damage. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with daily as yet unnamed malware, not only do encryption of online information but also infect any accessible system protection mechanisms. Files synched to cloud environments can also be ransomed. In a vulnerable environment, this can make automatic restoration impossible and effectively sets the network back to zero.
Recovering programs and data after a ransomware event becomes a race against time as the targeted organization fights to stop the spread, remove the virus, and restore enterprise-critical operations. Because ransomware needs time to move laterally, attacks are usually launched during nights and weekends, when penetrations tend to take more time to detect. This multiplies the difficulty of rapidly marshalling and organizing a knowledgeable mitigation team.
Progent has a variety of help services for protecting organizations from ransomware attacks. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with AI capabilities from SentinelOne to discover and disable zero-day threats rapidly. Progent in addition can provide the services of seasoned ransomware recovery professionals with the talent and commitment to re-deploy a breached system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will respond with the codes to decipher all your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to piece back together the essential components of your Information Technology environment. Absent access to essential system backups, this calls for a wide complement of skill sets, professional project management, and the ability to work non-stop until the task is complete.
For twenty years, Progent has offered expert IT services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise provides Progent the ability to knowledgably determine critical systems and integrate the surviving parts of your computer network environment after a ransomware penetration and configure them into a functioning network.
Progent's ransomware team of experts deploys best of breed project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working swiftly and together with a customer's management and Information Technology team members to prioritize tasks and to put key applications back online as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Attack Recovery
A customer escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored cybercriminals, possibly adopting algorithms leaked from America's National Security Agency. Ryuk targets specific organizations with little or no room for disruption and is among the most lucrative iterations of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
"I cannot say enough about the support Progent gave us during the most fearful time of (our) businesses existence. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent group gave us. The fact that you could get our e-mail and production applications back on-line sooner than a week was something I thought impossible. Every single consultant I got help from or communicated with at Progent was totally committed on getting us restored and was working 24/7 on our behalf."
Progent worked with the client to rapidly get our arms around and prioritize the mission critical applications that needed to be addressed in order to resume departmental operations:
- Windows Active Directory
- E-Mail
- Financials/MRP
To start, Progent followed ransomware event response best practices by stopping lateral movement and performing virus removal steps. Progent then began the process of recovering Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Exchange email will not operate without Active Directory, and the client's financials and MRP applications leveraged SQL Server, which depends on Active Directory services for authentication to the database.
Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of essential systems. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Off-Line Folder Files) on team workstations to recover mail data. A recent off-line backup of the client's accounting systems made it possible to restore these vital services back on-line. Although significant work still had to be done to recover completely from the Ryuk damage, essential services were recovered rapidly:
"For the most part, the assembly line operation did not miss a beat and we delivered all customer shipments."
Over the next few weeks important milestones in the restoration project were completed in close collaboration between Progent team members and the client:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Exchange Server exceeding 4 million historical messages was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely recovered.
- A new Palo Alto 850 security appliance was brought online.
- Nearly all of the desktop computers were being used by staff.
"So much of what happened that first week is nearly entirely a blur for me, but our team will not forget the dedication each of the team put in to give us our company back. I have utilized Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."
Conclusion
A likely business-killing catastrophe was averted due to top-tier experts, a wide spectrum of IT skills, and tight teamwork. Although in retrospect the ransomware virus penetration detailed here should have been disabled with advanced security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate security procedures for backup and applying software patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thank you for allowing me to get rested after we got through the initial push. Everyone did an fabulous effort, and if anyone is in the Chicago area, dinner is on me!"
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Buffalo a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day strains of crypto-ransomware that can get past legacy signature-based anti-virus solutions.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your IT system running at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that any looming problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-based solution for managing your network, server, and desktop devices by providing an environment for performing common tedious tasks. These can include health checking, patch management, automated repairs, endpoint configuration, backup and restore, anti-virus protection, remote access, built-in and custom scripts, asset inventory, endpoint status reporting, and troubleshooting assistance. When ProSight LAN Watch with NinjaOne RMM spots a serious incident, it transmits an alarm to your designated IT staff and your assigned Progent technical consultant so that emerging issues can be fixed before they interfere with productivity. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, reconfigure and debug their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that need critical updates, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of in-depth management reporting tools created to integrate with the leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has worked with leading backup software companies to create ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and track your data backup operations and enable transparent backup and fast restoration of important files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by equipment breakdown, natural calamities, fire, cyber attacks like ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to provide centralized management and comprehensive protection for all your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further level of inspection for incoming email. For outgoing email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and enter your password you are requested to confirm who you are via a device that only you have and that uses a different network channel. A wide selection of devices can be used as this second form of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple verification devices. For details about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
- Outsourced/Co-managed Help Center: Support Desk Managed Services
Progent's Help Desk managed services enable your IT staff to offload Call Center services to Progent or divide activity for Service Desk support transparently between your internal network support group and Progent's nationwide pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a seamless extension of your corporate support team. User interaction with the Help Desk, delivery of support, issue escalation, trouble ticket generation and updates, performance measurement, and management of the support database are cohesive regardless of whether incidents are taken care of by your in-house IT support group, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Call Desk services.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based analysis tools to guard endpoint devices as well as servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to address the complete threat lifecycle including blocking, identification, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can save up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about ProSight IT Asset Management service.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your IT staff to concentrate on more strategic projects and tasks that derive the highest business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the complete threat progression including protection, identification, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge tools incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you demonstrate compliance with government and industry data security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
For 24-Hour Buffalo CryptoLocker Cleanup Consulting, contact Progent at 800-462-8800 or go to Contact Progent.