Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a modern cyberplague that represents an extinction-level danger for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still cause harm. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as daily unnamed viruses, not only encrypt online files but also infect any configured system backup. Files synched to cloud environments can also be encrypted. In a vulnerable system, it can render any restore operations useless and effectively sets the network back to square one.
Getting back services and information following a ransomware event becomes a race against the clock as the targeted business tries its best to stop the spread and eradicate the ransomware and to restore enterprise-critical operations. Because ransomware requires time to move laterally, attacks are frequently sprung during weekends and nights, when penetrations are likely to take longer to detect. This multiplies the difficulty of promptly marshalling and orchestrating an experienced response team.
Progent makes available a range of help services for securing organizations from crypto-ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence capabilities from SentinelOne to detect and quarantine day-zero cyber attacks rapidly. Progent also can provide the services of veteran ransomware recovery professionals with the skills and commitment to reconstruct a breached network as rapidly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to unencrypt all your data. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the key elements of your Information Technology environment. Absent access to full data backups, this calls for a broad complement of skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is done.
For decades, Progent has made available certified expert Information Technology services for businesses in Toronto and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top certifications in key technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably identify necessary systems and organize the surviving parts of your IT environment following a crypto-ransomware attack and configure them into an operational network.
Progent's security team has state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of working rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to put key applications back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Incident Recovery
A business hired Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean government sponsored criminal gangs, suspected of using techniques exposed from America's NSA organization. Ryuk goes after specific businesses with limited ability to sustain operational disruption and is among the most lucrative examples of ransomware viruses. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with around 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for the best, but in the end made the decision to use Progent.
"I can't tell you enough in regards to the help Progent gave us throughout the most fearful period of (our) businesses survival. We may have had to pay the cybercriminals if not for the confidence the Progent group provided us. That you could get our messaging and important applications back on-line sooner than five days was earth shattering. Each staff member I talked with or messaged at Progent was laser focused on getting our company operational and was working 24 by 7 on our behalf."
Progent worked together with the client to rapidly get our arms around and assign priority to the mission critical systems that had to be addressed to make it possible to continue departmental functions:
To get going, Progent followed Anti-virus incident mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then began the task of recovering Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Exchange email will not operate without Windows AD, and the client's financials and MRP applications leveraged Microsoft SQL, which depends on Active Directory for access to the data.
- Windows Active Directory
- Electronic Mail
In less than 48 hours, Progent was able to recover Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery of key applications. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Email Off-Line Folder Files) on team PCs to recover email data. A not too old offline backup of the businesses manufacturing software made it possible to recover these required applications back online for users. Although a lot of work remained to recover completely from the Ryuk event, core systems were returned to operations rapidly:
"For the most part, the assembly line operation was never shut down and we delivered all customer sales."
During the following couple of weeks key milestones in the restoration process were achieved through close cooperation between Progent team members and the customer:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Server exceeding 4 million historical messages was brought online and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were completely restored.
- A new Palo Alto 850 firewall was set up.
- 90% of the user desktops and notebooks were being used by staff.
"Much of what transpired in the initial days is nearly entirely a blur for me, but my team will not forget the countless hours all of your team put in to help get our company back. I've been working together with Progent for the past 10 years, possibly more, and each time Progent has come through and delivered. This time was a life saver."
A possible company-ending catastrophe was avoided by dedicated professionals, a wide array of knowledge, and close teamwork. Although in hindsight the crypto-ransomware virus incident described here could have been stopped with up-to-date cyber security technology solutions and best practices, user education, and well thought out incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we got over the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is my treat!"
To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Toronto a variety of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services include next-generation AI technology to detect zero-day strains of ransomware that can evade legacy signature-based security products.
For Toronto 24x7 CryptoLocker Recovery Support Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to manage the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with government and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with leading backup technology companies to produce ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup operations and allow transparent backup and fast recovery of important files, applications, images, plus virtual machines. ProSight DPS helps you recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software bugs. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security companies to provide web-based control and world-class security for your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The cloud filter serves as a first line of defense and blocks most threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device provides a further level of analysis for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, monitor, optimize and troubleshoot their networking hardware such as routers, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating tedious management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that require critical updates, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to guard endpoint devices and servers and VMs against modern malware assaults like ransomware and email phishing, which easily evade legacy signature-based anti-virus products. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to manage the entire malware attack progression including blocking, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Service Center: Help Desk Managed Services
Progent's Call Desk services enable your IT staff to outsource Support Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support staff and Progent's extensive roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth extension of your in-house support team. End user interaction with the Service Desk, delivery of support, issue escalation, ticket creation and tracking, performance metrics, and maintenance of the service database are consistent regardless of whether issues are resolved by your core network support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking updates to your dynamic IT network. In addition to maximizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your IT team to focus on line-of-business projects and activities that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification with Apple iOS, Android, and other personal devices. With 2FA, whenever you sign into a protected application and enter your password you are asked to verify who you are on a unit that only you possess and that is accessed using a separate network channel. A broad range of devices can be utilized for this second form of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register several verification devices. For details about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is an expanding suite of in-depth reporting utilities created to integrate with the top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.