Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to cause damage. Newer strains of ransomware such as Ryuk and Hermes, plus more as yet unnamed newcomers, not only encrypt online data files but also infect most accessible system protection. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, it can make automatic restore operations useless and effectively sets the network back to zero.
Restoring services and information after a ransomware attack becomes a race against the clock as the targeted business fights to contain and remove the ransomware and to restore enterprise-critical operations. Since ransomware requires time to replicate, assaults are usually launched during nights and weekends, when successful penetrations tend to take more time to notice. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.
Progent makes available a variety of solutions for protecting businesses from ransomware attacks. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with machine learning technology to rapidly discover and disable zero-day cyber attacks. Progent also provides the assistance of experienced crypto-ransomware recovery consultants with the skills and perseverance to restore a breached network as soon as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will provide the keys to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to setup from scratch the essential parts of your Information Technology environment. Absent the availability of full system backups, this calls for a broad complement of skill sets, well-coordinated team management, and the willingness to work 24x7 until the recovery project is over.
For decades, Progent has offered certified expert IT services for companies in Bellevue and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience affords Progent the skills to efficiently ascertain important systems and integrate the remaining components of your IT environment after a ransomware event and configure them into an operational network.
Progent's recovery group has top notch project management systems to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and together with a client's management and Information Technology staff to prioritize tasks and to put key applications back online as soon as possible.
Business Case Study: A Successful Ransomware Penetration Recovery
A client hired Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state hackers, suspected of using strategies leaked from the United States NSA organization. Ryuk seeks specific organizations with little or no room for disruption and is among the most profitable instances of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk event had disabled all company operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately brought in Progent.
"I canít speak enough in regards to the help Progent gave us throughout the most stressful period of (our) companyís life. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent experts afforded us. That you could get our messaging and production servers back into operation sooner than seven days was amazing. Every single expert I worked with or messaged at Progent was urgently focused on getting my company operational and was working at all hours to bail us out."
Progent worked with the client to quickly determine and prioritize the essential services that had to be addressed in order to restart business functions:
To start, Progent followed Anti-virus incident mitigation best practices by stopping lateral movement and removing active viruses. Progent then started the process of recovering Microsoft AD, the heart of enterprise environments built on Microsoft Windows Server technology. Exchange email will not function without AD, and the customerís financials and MRP software leveraged Microsoft SQL, which depends on Windows AD for access to the databases.
- Active Directory
- Microsoft Exchange Server
In less than 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then charged ahead with setup and hard drive recovery on key systems. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Offline Data Files) on various workstations in order to recover mail data. A not too old offline backup of the businesses accounting systems made it possible to recover these vital applications back on-line. Although major work still had to be done to recover completely from the Ryuk attack, essential systems were returned to operations rapidly:
"For the most part, the production line operation never missed a beat and we delivered all customer deliverables."
Throughout the next couple of weeks key milestones in the restoration process were accomplished in close cooperation between Progent consultants and the client:
- In-house web sites were brought back up with no loss of information.
- The MailStore Server containing more than 4 million archived emails was brought on-line and available for users.
- CRM/Orders/Invoicing/AP/AR/Inventory functions were fully operational.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the desktops and laptops were back into operation.
"Much of what occurred that first week is nearly entirely a haze for me, but my team will not soon forget the care all of you put in to give us our company back. I have been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."
A potential business-killing disaster was avoided through the efforts of dedicated experts, a broad array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware incident described here should have been disabled with advanced cyber security solutions and security best practices, user education, and appropriate incident response procedures for data backup and proper patching controls, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we got through the initial push. All of you did an fabulous effort, and if any of your team is around the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Bellevue a range of remote monitoring and security evaluation services designed to assist you to reduce the threat from crypto-ransomware. These services incorporate modern machine learning capability to uncover new variants of ransomware that can evade legacy signature-based anti-virus products.
For Bellevue 24-7 Ransomware Recovery Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based AV tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to automate the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and allows fast restoration of critical data, apps and virtual machines that have become unavailable or corrupted due to component breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR specialists can provide world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your business-critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to deliver centralized management and world-class security for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, monitor, reconfigure and debug their networking hardware like routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that need important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT personnel and your assigned Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.