Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses poorly prepared for an assault. Multiple generations of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as more as yet unnamed viruses, not only encrypt online data files but also infiltrate any available system protection. Information replicated to cloud environments can also be encrypted. In a vulnerable system, it can make automated restoration hopeless and basically knocks the network back to zero.
Getting back online applications and information after a ransomware event becomes a sprint against time as the targeted organization fights to stop the spread and eradicate the ransomware and to resume business-critical operations. Due to the fact that ransomware takes time to move laterally, attacks are usually launched during nights and weekends, when penetrations typically take longer to discover. This compounds the difficulty of promptly assembling and organizing an experienced mitigation team.
Progent has a range of support services for protecting organizations from ransomware events. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with artificial intelligence capabilities to intelligently discover and suppress day-zero cyber threats. Progent in addition provides the assistance of expert crypto-ransomware recovery engineers with the talent and commitment to rebuild a breached system as urgently as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the needed codes to decrypt any of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the critical components of your IT environment. Absent the availability of full data backups, this calls for a broad range of skills, professional team management, and the willingness to work continuously until the recovery project is completed.
For twenty years, Progent has made available professional Information Technology services for companies in Arlington and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience provides Progent the ability to efficiently identify critical systems and re-organize the surviving components of your network system after a crypto-ransomware attack and rebuild them into a functioning network.
Progent's ransomware group uses top notch project management applications to orchestrate the complex restoration process. Progent knows the importance of working quickly and in concert with a client's management and IT resources to assign priority to tasks and to put the most important applications back on-line as soon as possible.
Case Study: A Successful Crypto-Ransomware Incident Restoration
A business contacted Progent after their network was penetrated by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state criminal gangs, possibly adopting techniques exposed from Americaís National Security Agency. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative versions of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with around 500 employees. The Ryuk intrusion had brought down all company operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot thank you enough in regards to the support Progent gave us throughout the most critical period of (our) businesses survival. We had little choice but to pay the criminal gangs except for the confidence the Progent group provided us. The fact that you could get our e-mail system and key applications back into operation quicker than seven days was incredible. Each expert I talked with or e-mailed at Progent was urgently focused on getting us working again and was working day and night on our behalf."
Progent worked with the client to quickly understand and assign priority to the most important elements that needed to be addressed in order to restart business operations:
To get going, Progent adhered to ransomware penetration response best practices by isolating and removing active viruses. Progent then began the task of rebuilding Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the client's MRP software leveraged SQL Server, which depends on Active Directory services for access to the database.
- Active Directory
- Exchange Server
Within 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then initiated setup and storage recovery of the most important applications. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Data Files) on various workstations to recover email messages. A not too old offline backup of the customerís accounting/ERP software made it possible to return these essential applications back servicing users. Although major work needed to be completed to recover completely from the Ryuk virus, critical systems were restored quickly:
"For the most part, the manufacturing operation never missed a beat and we made all customer orders."
Throughout the following month critical milestones in the recovery process were achieved through tight cooperation between Progent team members and the customer:
- Internal web applications were restored with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully operational.
- A new Palo Alto 850 firewall was brought online.
- Most of the desktop computers were back into operation.
"So much of what happened in the early hours is nearly entirely a blur for me, but we will not forget the dedication all of your team accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
A likely enterprise-killing disaster was averted with dedicated experts, a wide spectrum of knowledge, and close collaboration. Although in post mortem the crypto-ransomware incident detailed here could have been shut down with advanced cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), Iím grateful for letting me get some sleep after we got over the initial fire. All of you did an incredible effort, and if anyone is around the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Arlington a range of online monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation machine learning capability to uncover zero-day strains of ransomware that are able to evade legacy signature-based security solutions.
For 24x7 Arlington Crypto Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a unified platform to address the entire threat progression including blocking, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Backup and Recovery Services
Progent has worked with leading backup technology companies to produce ProSight Data Protection Services (DPS), a selection of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your backup operations and allow transparent backup and fast restoration of important files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by hardware breakdown, natural disasters, fire, malware such as ransomware, user error, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to provide centralized management and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of inspection for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding devices that need important updates, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management personnel and your Progent engineering consultant so that all looming issues can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior analysis tools to guard endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely escape traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to address the entire threat lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.
- Outsourced/Co-managed Service Desk: Call Center Managed Services
Progent's Support Center managed services enable your information technology staff to offload Help Desk services to Progent or divide activity for support services seamlessly between your in-house network support resources and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a smooth extension of your corporate IT support team. User access to the Help Desk, delivery of technical assistance, issue escalation, ticket creation and updates, performance metrics, and maintenance of the support database are cohesive whether issues are taken care of by your corporate network support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/shared Help Center services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your computer environment, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business projects and tasks that deliver maximum business value from your network. Read more about Progent's patch management services.
- ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against password theft by using two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and enter your password you are asked to verify who you are on a unit that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be used for this added form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. To learn more about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.