Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that represents an extinction-level threat for organizations vulnerable to an assault. Versions of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus more unnamed viruses, not only do encryption of online information but also infect any configured system restores and backups. Information replicated to the cloud can also be ransomed. In a poorly architected system, this can render automatic restore operations impossible and basically knocks the network back to square one.
Getting back online programs and data following a ransomware outage becomes a race against the clock as the targeted organization struggles to stop lateral movement and cleanup the virus and to resume mission-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are frequently sprung during weekends and nights, when penetrations in many cases take longer to detect. This compounds the difficulty of promptly mobilizing and coordinating an experienced response team.
Progent provides an assortment of help services for securing enterprises from crypto-ransomware attacks. Among these are staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with AI capabilities from SentinelOne to identify and disable new threats rapidly. Progent in addition can provide the services of expert ransomware recovery engineers with the talent and commitment to reconstruct a breached network as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a crypto-ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to decipher any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the essential parts of your Information Technology environment. Absent the availability of essential system backups, this calls for a broad range of skills, top notch project management, and the ability to work 24x7 until the recovery project is over.
For decades, Progent has offered expert IT services for companies in San Francisco and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience affords Progent the ability to efficiently identify critical systems and re-organize the surviving components of your network environment following a ransomware event and rebuild them into an operational system.
Progent's recovery group has top notch project management applications to orchestrate the complicated restoration process. Progent understands the urgency of acting rapidly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to get the most important services back online as soon as possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer engaged Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, suspected of using algorithms exposed from the U.S. National Security Agency. Ryuk targets specific companies with little ability to sustain operational disruption and is one of the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago with about 500 workers. The Ryuk penetration had disabled all company operations and manufacturing processes. Most of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200,000) and praying for good luck, but ultimately utilized Progent.
"I cannot tell you enough about the care Progent provided us throughout the most critical time of (our) company's existence. We would have paid the criminal gangs except for the confidence the Progent experts provided us. That you could get our e-mail system and important applications back on-line quicker than 1 week was amazing. Each person I worked with or e-mailed at Progent was totally committed on getting us back on-line and was working 24/7 to bail us out."
Progent worked together with the client to rapidly identify and assign priority to the mission critical elements that had to be recovered to make it possible to restart business operations:
To start, Progent adhered to Anti-virus event response industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the task of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not work without Windows AD, and the client's MRP applications leveraged Microsoft SQL Server, which requires Active Directory for access to the data.
- Microsoft Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then completed rebuilding and hard drive recovery of needed applications. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Off-Line Data Files) on user desktop computers in order to recover mail data. A recent off-line backup of the customer's financials/ERP systems made it possible to restore these required services back online. Although significant work remained to recover fully from the Ryuk damage, the most important services were returned to operations rapidly:
"For the most part, the production manufacturing operation was never shut down and we produced all customer sales."
Over the next few weeks key milestones in the recovery project were made through tight cooperation between Progent consultants and the client:
- In-house web applications were restored without losing any data.
- The MailStore Exchange Server with over four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
- A new Palo Alto 850 security appliance was deployed.
- Most of the desktop computers were fully operational.
"Much of what went on in the initial days is nearly entirely a fog for me, but my team will not forget the urgency all of the team accomplished to help get our business back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."
A potential business extinction catastrophe was avoided due to results-oriented professionals, a broad spectrum of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware penetration detailed here could have been shut down with up-to-date cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well designed security procedures for backup and proper patching controls, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thanks very much for allowing me to get some sleep after we got through the initial push. Everyone did an impressive job, and if any of your team is around the Chicago area, dinner is my treat!"
To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in San Francisco a portfolio of online monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence capability to uncover zero-day strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.
For 24/7 San Francisco Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to automate the entire malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate action. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your backup operations and enable non-disruptive backup and rapid restoration of important files/folders, applications, system images, plus VMs. ProSight DPS lets you avoid data loss resulting from equipment failures, natural disasters, fire, malware such as ransomware, human mistakes, malicious employees, or software bugs. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to deliver web-based management and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map, track, enhance and debug their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network maps are always updated, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, locating appliances that require important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network running efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to defend endpoints and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the complete malware attack lifecycle including protection, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Call Center: Call Center Managed Services
Progent's Help Center services permit your IT team to offload Call Center services to Progent or split responsibilities for support services seamlessly between your in-house support resources and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth supplement to your internal support organization. Client access to the Service Desk, provision of support services, issue escalation, ticket generation and tracking, performance metrics, and management of the service database are consistent regardless of whether incidents are resolved by your core IT support group, by Progent, or both. Learn more about Progent's outsourced/shared Call Desk services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of any size a versatile and affordable alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. Besides maximizing the protection and reliability of your IT environment, Progent's patch management services allow your IT staff to concentrate on line-of-business initiatives and tasks that derive the highest business value from your information network. Learn more about Progent's software/firmware update management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Android, and other personal devices. Using 2FA, when you log into a protected online account and enter your password you are asked to verify who you are on a device that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this added form of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate several validation devices. For details about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
ProSight Reporting is a growing line of in-depth reporting utilities designed to work with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.