Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses poorly prepared for an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and still cause havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as additional unnamed malware, not only encrypt on-line data but also infiltrate all configured system backups. Data synched to cloud environments can also be corrupted. In a vulnerable system, this can make automated recovery useless and effectively knocks the datacenter back to zero.
Getting back applications and information after a crypto-ransomware event becomes a race against the clock as the victim struggles to stop lateral movement and clear the ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to move laterally, assaults are frequently sprung at night, when successful penetrations tend to take longer to identify. This compounds the difficulty of quickly mobilizing and organizing a capable response team.
Progent has a range of help services for securing businesses from ransomware attacks. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with AI technology from SentinelOne to identify and extinguish day-zero cyber attacks automatically. Progent in addition can provide the assistance of expert ransomware recovery professionals with the skills and perseverance to restore a breached environment as soon as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will respond with the keys to decrypt all your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the critical components of your IT environment. Absent access to full information backups, this requires a wide complement of skill sets, well-coordinated project management, and the willingness to work continuously until the recovery project is finished.
For twenty years, Progent has made available certified expert Information Technology services for businesses in Monterrey and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise affords Progent the skills to quickly understand important systems and consolidate the surviving parts of your Information Technology system after a crypto-ransomware attack and configure them into an operational network.
Progent's security team utilizes top notch project management applications to coordinate the complicated recovery process. Progent knows the urgency of working swiftly and in unison with a client's management and IT resources to assign priority to tasks and to get key applications back online as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business escalated to Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, possibly adopting algorithms exposed from America's National Security Agency. Ryuk seeks specific companies with little ability to sustain disruption and is among the most profitable examples of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.
"I cannot say enough in regards to the help Progent provided us throughout the most critical time of (our) company's life. We most likely would have paid the Hackers except for the confidence the Progent team gave us. The fact that you could get our messaging and important servers back into operation faster than seven days was earth shattering. Each consultant I interacted with or e-mailed at Progent was totally committed on getting us operational and was working day and night on our behalf."
Progent worked hand in hand the client to rapidly get our arms around and assign priority to the most important elements that had to be recovered in order to restart departmental functions:
To begin, Progent followed ransomware event mitigation best practices by halting lateral movement and cleaning systems of viruses. Progent then began the task of rebuilding Microsoft AD, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's MRP software used SQL Server, which depends on Windows AD for security authorization to the data.
- Active Directory
- Accounting and Manufacturing Software
Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Folder Files) on staff workstations in order to recover email information. A recent off-line backup of the customer's accounting/MRP software made it possible to restore these essential applications back online for users. Although major work needed to be completed to recover totally from the Ryuk event, essential systems were returned to operations quickly:
"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."
Throughout the following few weeks key milestones in the recovery process were accomplished in close collaboration between Progent engineers and the client:
- In-house web sites were restored without losing any data.
- The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory functions were 100 percent restored.
- A new Palo Alto Networks 850 firewall was brought online.
- Most of the user desktops and notebooks were functioning as before the incident.
"Much of what was accomplished those first few days is nearly entirely a blur for me, but we will not forget the commitment all of the team accomplished to give us our company back. I've trusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered. This situation was a testament to your capabilities."
A likely business disaster was averted with hard-working experts, a wide array of knowledge, and close teamwork. Although in hindsight the ransomware incident detailed here should have been prevented with modern cyber security solutions and security best practices, user training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get some sleep after we got past the initial fire. All of you did an amazing job, and if anyone that helped is around the Chicago area, dinner is on me!"
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Monterrey a variety of remote monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services incorporate next-generation machine learning technology to uncover zero-day variants of crypto-ransomware that can escape detection by legacy signature-based security products.
For 24x7x365 Monterrey Crypto-Ransomware Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching AV products. ProSight ASM protects local and cloud-based resources and provides a single platform to manage the entire threat progression including blocking, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge tools packaged within one agent managed from a single console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with leading backup/restore technology companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and track your data backup operations and allow non-disruptive backup and rapid recovery of vital files/folders, applications, images, plus VMs. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, malicious employees, or software glitches. Managed services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security vendors to provide web-based management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of inspection for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, track, reconfigure and troubleshoot their networking hardware like switches, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, locating devices that require critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to keep your IT system running efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so that any looming problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to defend endpoint devices and servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to address the entire threat progression including protection, infiltration detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Support Desk services allow your IT staff to outsource Support Desk services to Progent or divide responsibilities for support services seamlessly between your internal support staff and Progent's extensive roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a smooth supplement to your core support group. End user interaction with the Help Desk, provision of support, escalation, ticket generation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether issues are resolved by your internal IT support staff, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management offer businesses of any size a versatile and affordable alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT network. In addition to maximizing the protection and functionality of your computer environment, Progent's patch management services permit your IT team to focus on line-of-business projects and activities that derive the highest business value from your information network. Find out more about Progent's patch management services.
- ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
Progent's Duo MFA services utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Android, and other out-of-band devices. Using 2FA, when you log into a secured online account and enter your password you are requested to confirm who you are on a device that only you possess and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used as this added means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can register several verification devices. For more information about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.