Ransomware : Your Crippling IT Catastrophe
Ransomware has become an escalating cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an assault. Different iterations of ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as daily as yet unnamed viruses, not only encrypt on-line data but also infiltrate many configured system backup. Information synched to the cloud can also be corrupted. In a poorly designed data protection solution, this can make automatic recovery impossible and basically sets the entire system back to square one.
Getting back online services and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop the spread and clear the ransomware and to resume business-critical activity. Since ransomware needs time to replicate, assaults are frequently launched on weekends, when successful penetrations typically take more time to recognize. This compounds the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.
Progent offers an assortment of solutions for securing enterprises from ransomware attacks. These include user education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with machine learning capabilities from SentinelOne to identify and suppress day-zero cyber threats rapidly. Progent also can provide the assistance of seasoned crypto-ransomware recovery engineers with the talent and commitment to rebuild a compromised system as quickly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the keys to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to re-install the critical elements of your IT environment. Absent access to essential system backups, this requires a broad complement of skill sets, professional project management, and the willingness to work 24x7 until the recovery project is completed.
For twenty years, Progent has provided professional Information Technology services for companies in Ontario and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand critical systems and re-organize the surviving parts of your computer network environment after a ransomware attack and assemble them into an operational network.
Progent's recovery team has top notch project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of working swiftly and in unison with a customer's management and Information Technology resources to prioritize tasks and to get critical systems back on line as fast as humanly possible.
Client Case Study: A Successful Ransomware Virus Response
A customer engaged Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, possibly using approaches exposed from America's NSA organization. Ryuk goes after specific organizations with little ability to sustain operational disruption and is one of the most profitable incarnations of ransomware malware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 employees. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the start of the intrusion and were encrypted. The client considered paying the ransom (more than $200,000) and praying for good luck, but ultimately engaged Progent.
"I can't tell you enough in regards to the help Progent gave us during the most critical time of (our) businesses existence. We most likely would have paid the Hackers if it wasn't for the confidence the Progent experts gave us. That you were able to get our messaging and critical servers back online faster than 1 week was beyond my wildest dreams. Every single expert I interacted with or communicated with at Progent was urgently focused on getting us back on-line and was working breakneck pace to bail us out."
Progent worked hand in hand the client to quickly identify and assign priority to the most important elements that had to be addressed in order to resume company operations:
To get going, Progent adhered to Anti-virus event response best practices by halting the spread and clearing up compromised systems. Progent then started the work of recovering Microsoft AD, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the client's accounting and MRP applications utilized Microsoft SQL, which requires Active Directory services for security authorization to the data.
- Windows Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
Within 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then completed rebuilding and storage recovery on critical applications. All Exchange data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to find intact OST files (Outlook Off-Line Folder Files) on team desktop computers in order to recover mail information. A recent off-line backup of the customer's accounting/MRP systems made it possible to recover these vital applications back online. Although a large amount of work was left to recover fully from the Ryuk attack, essential systems were restored rapidly:
"For the most part, the production operation showed little impact and we did not miss any customer orders."
Over the following few weeks key milestones in the restoration process were completed in close cooperation between Progent team members and the client:
- Internal web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were fully operational.
- A new Palo Alto 850 security appliance was installed and configured.
- Most of the desktops and laptops were operational.
"Much of what transpired that first week is nearly entirely a blur for me, but my team will not forget the countless hours each and every one of you put in to help get our business back. I have entrusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A likely business-ending disaster was dodged due to results-oriented experts, a broad range of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware virus attack detailed here would have been disabled with up-to-date security solutions and best practices, user education, and properly executed security procedures for data protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for letting me get some sleep after we got over the initial fire. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Ontario a portfolio of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services include modern artificial intelligence technology to uncover zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus solutions.
For 24-7 Ontario Ransomware Recovery Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the complete threat lifecycle including protection, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge tools incorporated within one agent managed from a unified control. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that meets your company's unique requirements and that allows you demonstrate compliance with legal and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore software companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and monitor your backup processes and enable non-disruptive backup and rapid recovery of vital files/folders, apps, system images, and VMs. ProSight DPS helps you avoid data loss caused by hardware failures, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to provide web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that need important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT personnel and your assigned Progent consultant so that all looming issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect data related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you're making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior analysis tools to defend endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to automate the complete threat progression including protection, identification, mitigation, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.
- Outsourced/Co-managed Help Center: Help Desk Managed Services
Progent's Help Desk services allow your IT team to offload Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your internal support group and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth supplement to your in-house IT support resources. User interaction with the Service Desk, provision of support, escalation, ticket generation and tracking, efficiency metrics, and maintenance of the service database are consistent whether issues are taken care of by your core support resources, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Call Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. Besides maximizing the security and reliability of your computer environment, Progent's patch management services permit your in-house IT staff to concentrate on line-of-business projects and activities that deliver maximum business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using 2FA, when you sign into a protected online account and enter your password you are requested to verify your identity on a unit that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be utilized for this added form of authentication including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may register several verification devices. To find out more about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding line of real-time and in-depth reporting tools created to integrate with the leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.