Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyberplague that represents an existential danger for businesses poorly prepared for an assault. Different iterations of crypto-ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for many years and still inflict harm. More recent versions of ransomware like Ryuk and Hermes, plus more unnamed malware, not only encrypt on-line information but also infiltrate any configured system backups. Data synchronized to cloud environments can also be corrupted. In a poorly architected environment, this can render automatic recovery impossible and basically sets the datacenter back to zero.
Recovering applications and data following a ransomware attack becomes a sprint against the clock as the targeted business fights to contain and cleanup the ransomware and to resume enterprise-critical operations. Because ransomware needs time to move laterally, penetrations are often sprung on weekends, when successful attacks are likely to take more time to detect. This compounds the difficulty of rapidly assembling and orchestrating an experienced response team.
Progent makes available a range of support services for securing enterprises from ransomware attacks. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning technology to rapidly discover and quarantine day-zero threats. Progent also can provide the services of experienced ransomware recovery consultants with the skills and commitment to re-deploy a breached network as urgently as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to decrypt all your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their files after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the critical components of your IT environment. Without access to essential data backups, this requires a wide range of skills, top notch project management, and the willingness to work non-stop until the task is complete.
For twenty years, Progent has offered professional IT services for companies in Albany and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably understand important systems and re-organize the remaining parts of your Information Technology environment following a crypto-ransomware penetration and configure them into an operational network.
Progent's recovery team deploys state-of-the-art project management systems to coordinate the complicated recovery process. Progent knows the urgency of working quickly and together with a client's management and Information Technology team members to assign priority to tasks and to put the most important services back on-line as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer sought out Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored cybercriminals, possibly using techniques leaked from the United States National Security Agency. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most lucrative examples of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 workers. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200K) and hoping for the best, but in the end reached out to Progent.
"I canít thank you enough about the help Progent provided us throughout the most critical time of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent team afforded us. That you could get our messaging and key servers back on-line sooner than one week was amazing. Every single staff member I interacted with or messaged at Progent was laser focused on getting us back on-line and was working 24/7 to bail us out."
Progent worked with the customer to quickly determine and prioritize the critical areas that needed to be recovered in order to restart business operations:
To start, Progent followed ransomware penetration response industry best practices by stopping the spread and disinfecting systems. Progent then began the process of rebuilding Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the customerís MRP system used SQL Server, which needs Active Directory for access to the databases.
- Windows Active Directory
- Electronic Messaging
- MRP System
In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then completed setup and storage recovery of essential servers. All Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to find intact OST files (Outlook Offline Folder Files) on various workstations and laptops to recover mail data. A not too old off-line backup of the client's financials/MRP systems made them able to return these essential services back available to users. Although significant work remained to recover completely from the Ryuk event, the most important systems were recovered rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer orders."
During the next month key milestones in the restoration project were accomplished through close collaboration between Progent engineers and the customer:
- In-house web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical messages was brought on-line and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully restored.
- A new Palo Alto 850 firewall was set up and programmed.
- 90% of the user workstations were functioning as before the incident.
"A lot of what occurred that first week is nearly entirely a fog for me, but I will not soon forget the commitment each of your team put in to give us our company back. Iíve utilized Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A possible business-killing disaster was averted with dedicated experts, a wide spectrum of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus penetration described here should have been prevented with advanced security systems and best practices, staff education, and well designed security procedures for data protection and applying software patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for allowing me to get rested after we got over the initial fire. Everyone did an incredible job, and if anyone that helped is around the Chicago area, dinner is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Albany a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day strains of ransomware that are able to escape detection by legacy signature-based security solutions.
For 24x7x365 Albany Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including protection, detection, containment, remediation, and forensics. Key features include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering through leading-edge technologies packaged within one agent accessible from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. For a low monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid recovery of vital data, apps and VMs that have become unavailable or corrupted due to component failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can deliver advanced support to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide web-based control and world-class security for your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your exposure to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating time-consuming management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that need important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management technology to keep your network operating efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management personnel and your assigned Progent engineering consultant so all potential problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.