Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses unprepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional unnamed newcomers, not only encrypt online data but also infect most available system restores and backups. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly architected system, it can render automatic recovery hopeless and basically knocks the datacenter back to zero.
Retrieving services and data following a crypto-ransomware intrusion becomes a race against time as the targeted organization struggles to stop the spread and remove the crypto-ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to spread, attacks are usually launched at night, when successful attacks in many cases take longer to discover. This compounds the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.
Progent has a variety of solutions for protecting organizations from ransomware attacks. These include staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security gateways with AI technology from SentinelOne to identify and suppress day-zero cyber threats rapidly. Progent also can provide the assistance of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the codes to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the essential parts of your IT environment. Without the availability of essential data backups, this requires a wide complement of skill sets, well-coordinated project management, and the willingness to work continuously until the job is completed.
For decades, Progent has provided professional IT services for companies in Monterrey and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the ability to knowledgably ascertain necessary systems and organize the surviving pieces of your network system following a ransomware attack and configure them into a functioning system.
Progent's ransomware team of experts has state-of-the-art project management applications to orchestrate the complex restoration process. Progent understands the importance of acting swiftly and in concert with a client's management and IT team members to assign priority to tasks and to get key services back online as fast as humanly possible.
Client Story: A Successful Ransomware Virus Restoration
A client engaged Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, possibly adopting algorithms exposed from the U.S. NSA organization. Ryuk seeks specific companies with little tolerance for operational disruption and is among the most lucrative versions of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk event had shut down all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but in the end called Progent.
"I cannot speak enough about the expertise Progent provided us during the most fearful period of (our) company's existence. We most likely would have paid the Hackers if it wasn't for the confidence the Progent experts gave us. That you could get our e-mail system and important applications back in less than a week was beyond my wildest dreams. Each expert I got help from or texted at Progent was amazingly focused on getting us back on-line and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to quickly determine and prioritize the mission critical applications that had to be restored in order to restart business operations:
To get going, Progent followed Anti-virus penetration mitigation best practices by stopping lateral movement and removing active viruses. Progent then began the work of bringing back online Microsoft AD, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the businesses' MRP software utilized SQL Server, which depends on Active Directory for access to the information.
- Windows Active Directory
- Microsoft Exchange
Within 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then performed setup and storage recovery of essential applications. All Exchange ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Outlook Off-Line Data Files) on team desktop computers and laptops in order to recover email data. A not too old off-line backup of the customer's manufacturing software made it possible to restore these essential programs back servicing users. Although a lot of work remained to recover totally from the Ryuk damage, core systems were returned to operations quickly:
"For the most part, the production operation never missed a beat and we made all customer sales."
Over the next few weeks important milestones in the recovery process were achieved in tight cooperation between Progent engineers and the customer:
- In-house web applications were restored with no loss of data.
- The MailStore Server with over 4 million historical messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the desktops and laptops were operational.
"A lot of what went on those first few days is mostly a blur for me, but I will not soon forget the countless hours all of the team accomplished to help get our company back. I've been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This time was a testament to your capabilities."
A potential business-killing disaster was evaded with dedicated experts, a broad array of technical expertise, and close teamwork. Although in post mortem the crypto-ransomware attack described here should have been identified and stopped with current cyber security solutions and ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, removal, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get rested after we got past the initial push. All of you did an incredible job, and if any of your team is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Monterrey a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize modern machine learning technology to uncover zero-day strains of ransomware that can evade traditional signature-based security products.
For 24/7/365 Monterrey Ransomware Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within one agent managed from a single console. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with advanced backup software providers to produce ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services manage and track your backup processes and enable transparent backup and fast restoration of critical files/folders, applications, system images, plus virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human error, malicious employees, or software glitches. Managed backup services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to deliver centralized control and comprehensive security for your inbound and outbound email. The powerful structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your vulnerability to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of inspection for inbound email. For outbound email, the local security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, track, reconfigure and debug their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, finding devices that require critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT management personnel and your assigned Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to guard endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV products. Progent ASM services protect local and cloud resources and provides a single platform to manage the entire malware attack lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
Progent's Call Desk managed services permit your IT team to outsource Support Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house support resources and Progent's nationwide roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent supplement to your in-house IT support organization. User access to the Service Desk, provision of support, problem escalation, trouble ticket creation and tracking, efficiency measurement, and management of the service database are consistent whether issues are taken care of by your internal network support organization, by Progent's team, or both. Read more about Progent's outsourced/co-managed Help Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer organizations of all sizes a flexible and cost-effective solution for assessing, validating, scheduling, implementing, and documenting updates to your dynamic IT network. Besides maximizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your IT team to concentrate on more strategic initiatives and activities that derive maximum business value from your network. Find out more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation with iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected online account and give your password you are requested to confirm your identity on a unit that only you have and that is accessed using a separate network channel. A broad selection of out-of-band devices can be used as this added form of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. To learn more about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time and in-depth management reporting plug-ins created to integrate with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.