Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that represents an existential threat for organizations vulnerable to an attack. Different versions of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus more unnamed malware, not only encrypt on-line information but also infiltrate many configured system protection. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, this can render any recovery impossible and effectively knocks the datacenter back to square one.
Retrieving applications and data after a crypto-ransomware attack becomes a race against the clock as the targeted business tries its best to contain and eradicate the ransomware and to resume enterprise-critical operations. Because crypto-ransomware requires time to replicate, attacks are often launched on weekends and holidays, when attacks typically take more time to recognize. This multiplies the difficulty of rapidly mobilizing and organizing a qualified mitigation team.
Progent has a range of services for protecting organizations from ransomware events. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with artificial intelligence technology from SentinelOne to detect and extinguish zero-day threats automatically. Progent also can provide the services of seasoned crypto-ransomware recovery consultants with the talent and commitment to restore a breached system as soon as possible.
Progent's Crypto-Ransomware Recovery Help
After a ransomware attack, sending the ransom in cryptocurrency does not guarantee that merciless criminals will provide the keys to decipher any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the key elements of your IT environment. Without access to essential system backups, this calls for a wide range of skills, professional team management, and the capability to work continuously until the recovery project is finished.
For twenty years, Progent has provided professional Information Technology services for businesses in Albany and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience provides Progent the ability to knowledgably identify necessary systems and organize the surviving pieces of your computer network system after a crypto-ransomware event and assemble them into a functioning system.
Progent's ransomware team has best of breed project management applications to orchestrate the complicated recovery process. Progent knows the importance of working rapidly and together with a client's management and Information Technology resources to prioritize tasks and to put critical systems back on-line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Virus Restoration
A customer contacted Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, possibly adopting algorithms exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little room for operational disruption and is one of the most profitable instances of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area with around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately brought in Progent.
"I cannot say enough about the help Progent gave us throughout the most fearful time of (our) company's life. We had little choice but to pay the cyber criminals except for the confidence the Progent team gave us. That you could get our e-mail and essential applications back online faster than 1 week was earth shattering. Every single expert I spoke to or messaged at Progent was totally committed on getting us restored and was working at all hours on our behalf."
Progent worked hand in hand the client to quickly assess and assign priority to the key areas that needed to be recovered to make it possible to resume departmental functions:
To get going, Progent followed AV/Malware Processes incident response industry best practices by stopping the spread and clearing infected systems. Progent then started the task of rebuilding Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' MRP applications utilized Microsoft SQL Server, which depends on Active Directory for access to the databases.
- Windows Active Directory
- Electronic Mail
Within 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then initiated rebuilding and storage recovery on essential servers. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Offline Data Files) on staff desktop computers in order to recover email data. A not too old offline backup of the customer's accounting/ERP software made them able to recover these required applications back servicing users. Although a large amount of work was left to recover completely from the Ryuk event, the most important services were returned to operations quickly:
"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer sales."
During the following couple of weeks important milestones in the recovery project were made in close collaboration between Progent engineers and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Exchange Server exceeding four million archived messages was spun up and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent functional.
- A new Palo Alto 850 security appliance was brought on-line.
- Ninety percent of the user desktops were operational.
"A huge amount of what transpired during the initial response is nearly entirely a haze for me, but we will not soon forget the countless hours all of you accomplished to give us our company back. I've entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was a stunning achievement."
A potential company-ending disaster was evaded with hard-working experts, a broad array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware penetration described here should have been identified and disabled with up-to-date cyber security technology and recognized best practices, user and IT administrator training, and well designed security procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), thanks very much for making it so I could get some sleep after we made it over the initial push. All of you did an incredible effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Albany a range of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence capability to detect zero-day strains of ransomware that are able to get past legacy signature-based anti-virus products.
For Albany 24x7x365 Ransomware Recovery Services, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to address the entire malware attack progression including blocking, identification, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a portfolio of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup operations and allow transparent backup and fast restoration of important files, applications, system images, and virtual machines. ProSight DPS lets your business avoid data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user error, malicious insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide centralized management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the local security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding devices that require important updates, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that any potential issues can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior analysis tools to guard endpoints and physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. Progent ASM services protect local and cloud-based resources and offers a single platform to manage the entire threat progression including filtering, detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.
- Progent's Outsourced/Shared Help Center: Support Desk Managed Services
Progent's Support Desk managed services allow your information technology staff to offload Support Desk services to Progent or split responsibilities for Service Desk support seamlessly between your internal support team and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth extension of your core IT support staff. End user access to the Help Desk, delivery of technical assistance, problem escalation, trouble ticket generation and tracking, performance metrics, and management of the service database are consistent regardless of whether incidents are taken care of by your core support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Help Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer businesses of any size a flexible and affordable solution for evaluating, testing, scheduling, implementing, and documenting updates to your dynamic IT network. Besides optimizing the protection and functionality of your IT environment, Progent's patch management services free up time for your IT team to focus on more strategic projects and tasks that derive the highest business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation with iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a protected online account and give your password you are asked to verify who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used for this added means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate multiple verification devices. For more information about ProSight Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.
- ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing family of real-time and in-depth reporting tools created to work with the industry's leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.