Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause destruction. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus more as yet unnamed newcomers, not only do encryption of online data but also infiltrate many configured system backup. Files replicated to the cloud can also be corrupted. In a poorly architected data protection solution, it can render any recovery impossible and effectively sets the entire system back to zero.
Recovering services and data following a ransomware attack becomes a sprint against the clock as the victim struggles to contain the damage, eradicate the virus, and resume business-critical activity. Because ransomware requires time to replicate, assaults are often sprung at night, when successful attacks are likely to take more time to identify. This compounds the difficulty of promptly mobilizing and organizing a knowledgeable response team.
Progent has a range of support services for securing organizations from ransomware attacks. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to detect and quarantine day-zero cyber attacks rapidly. Progent also offers the services of veteran ransomware recovery consultants with the skills and commitment to restore a compromised system as quickly as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware invasion, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the keys to decipher all your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The fallback is to re-install the vital components of your Information Technology environment. Without the availability of complete data backups, this requires a broad range of skills, professional project management, and the willingness to work 24x7 until the job is completed.
For decades, Progent has provided expert IT services for companies throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise provides Progent the capability to quickly determine necessary systems and re-organize the remaining components of your network environment after a crypto-ransomware attack and assemble them into a functioning network.
Progent's recovery team deploys state-of-the-art project management tools to coordinate the complex restoration process. Progent understands the urgency of acting swiftly and in concert with a customer's management and IT team members to prioritize tasks and to get key systems back on-line as soon as humanly possible.
Client Story: A Successful Ransomware Virus Restoration
A small business hired Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, possibly adopting techniques exposed from the United States NSA organization. Ryuk seeks specific businesses with limited tolerance for operational disruption and is one of the most profitable iterations of ransomware malware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had frozen all business operations and manufacturing processes. The majority of the client's backups had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I cannot tell you enough about the support Progent provided us throughout the most stressful time of (our) businesses existence. We most likely would have paid the criminal gangs if not for the confidence the Progent experts afforded us. The fact that you could get our messaging and critical applications back online quicker than five days was amazing. Each consultant I spoke to or messaged at Progent was totally committed on getting our company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and prioritize the mission critical elements that had to be recovered in order to continue business operations:
- Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
To get going, Progent adhered to ransomware event mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then started the work of recovering Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the customer's financials and MRP software leveraged SQL Server, which requires Active Directory for security authorization to the databases.
In less than 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then helped perform rebuilding and hard drive recovery on key servers. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover email messages. A not too old offline backup of the businesses accounting/ERP systems made them able to return these essential programs back on-line. Although a large amount of work was left to recover fully from the Ryuk virus, essential services were recovered quickly:
"For the most part, the production line operation was never shut down and we did not miss any customer orders."
Throughout the next few weeks important milestones in the recovery project were completed in close collaboration between Progent consultants and the customer:
- Internal web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were 100% operational.
- A new Palo Alto 850 firewall was installed.
- Nearly all of the desktop computers were operational.
"A lot of what happened in the early hours is nearly entirely a blur for me, but my management will not forget the countless hours each and every one of the team accomplished to give us our company back. I've trusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was the most impressive ever."
Conclusion
A probable enterprise-killing catastrophe was averted with hard-working professionals, a wide spectrum of knowledge, and close collaboration. Although upon completion of forensics the ransomware penetration detailed here should have been blocked with advanced security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for data protection and applying software patches, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), I'm grateful for allowing me to get rested after we made it past the initial fire. All of you did an incredible job, and if any of your guys is in the Chicago area, dinner is on me!"
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in San Francisco a variety of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover zero-day strains of ransomware that are able to evade legacy signature-based anti-virus products.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with legal and industry information protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also help you to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore technology providers to produce ProSight Data Protection Services, a portfolio of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products manage and track your backup processes and enable transparent backup and rapid restoration of important files/folders, apps, system images, and virtual machines. ProSight DPS lets you recover from data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to deliver centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of analysis for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, monitor, reconfigure and debug their connectivity appliances such as switches, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating devices that require critical updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your network running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT personnel and your Progent engineering consultant so that all potential issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information about your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can save up to half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Find out more about ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis technology to guard endpoints as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services protect local and cloud-based resources and provides a single platform to automate the complete threat progression including protection, detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.
- Outsourced/Co-managed Service Desk: Support Desk Managed Services
Progent's Help Desk managed services enable your information technology staff to offload Support Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support resources and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless supplement to your in-house support staff. User access to the Service Desk, delivery of support, problem escalation, trouble ticket generation and tracking, performance metrics, and management of the service database are cohesive regardless of whether issues are resolved by your internal support resources, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's managed services for patch management offer businesses of all sizes a flexible and affordable solution for evaluating, testing, scheduling, implementing, and documenting updates to your dynamic IT network. Besides maximizing the security and functionality of your computer network, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on iOS, Android, and other out-of-band devices. With 2FA, when you sign into a secured application and enter your password you are asked to verify who you are via a unit that only you have and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized as this added form of authentication such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. For details about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of real-time and in-depth reporting tools created to work with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For San Francisco 24x7x365 Ransomware Remediation Consulting, call Progent at 800-462-8800 or go to Contact Progent.