Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyberplague that presents an existential threat for businesses of all sizes vulnerable to an assault. Versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict destruction. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as daily as yet unnamed malware, not only encrypt on-line critical data but also infect many configured system backups. Information synched to the cloud can also be encrypted. In a poorly designed system, it can render automatic restoration hopeless and basically sets the entire system back to square one.
Getting back online services and data after a crypto-ransomware outage becomes a race against the clock as the victim fights to stop the spread and remove the ransomware and to restore enterprise-critical operations. Since ransomware requires time to spread, penetrations are often sprung on weekends and holidays, when penetrations in many cases take longer to identify. This multiplies the difficulty of quickly marshalling and coordinating a qualified mitigation team.
Progent makes available a range of help services for securing businesses from ransomware attacks. These include team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with artificial intelligence technology from SentinelOne to discover and quarantine day-zero threats automatically. Progent in addition provides the services of expert ransomware recovery consultants with the skills and commitment to reconstruct a breached environment as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will return the needed keys to decrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the critical elements of your IT environment. Absent access to full data backups, this calls for a wide range of IT skills, top notch project management, and the willingness to work continuously until the task is finished.
For twenty years, Progent has offered professional IT services for businesses in Birmingham and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience provides Progent the skills to rapidly identify critical systems and organize the remaining components of your IT environment after a ransomware event and configure them into a functioning network.
Progent's security group has top notch project management systems to orchestrate the sophisticated restoration process. Progent knows the importance of acting rapidly and in unison with a customer's management and IT resources to assign priority to tasks and to put essential applications back on line as fast as humanly possible.
Client Case Study: A Successful Ransomware Attack Recovery
A client escalated to Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, suspected of adopting algorithms exposed from America's NSA organization. Ryuk targets specific companies with little tolerance for disruption and is one of the most profitable iterations of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's data protection had been online at the time of the attack and were damaged. The client considered paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end utilized Progent.
"I can't thank you enough in regards to the support Progent provided us throughout the most critical period of (our) businesses survival. We may have had to pay the cybercriminals if not for the confidence the Progent team provided us. That you were able to get our e-mail system and important servers back on-line sooner than five days was amazing. Every single expert I interacted with or messaged at Progent was urgently focused on getting our company operational and was working non-stop on our behalf."
Progent worked together with the client to rapidly assess and prioritize the most important applications that had to be restored to make it possible to resume departmental functions:
To begin, Progent adhered to ransomware event mitigation best practices by halting the spread and cleaning up infected systems. Progent then started the work of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the businesses' financials and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for security authorization to the databases.
- Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and hard drive recovery on needed systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Off-Line Folder Files) on staff PCs and laptops in order to recover email data. A recent off-line backup of the customer's financials/ERP systems made them able to return these essential applications back servicing users. Although major work still had to be done to recover totally from the Ryuk damage, core systems were returned to operations rapidly:
"For the most part, the assembly line operation was never shut down and we did not miss any customer shipments."
During the following few weeks key milestones in the restoration project were accomplished in close collaboration between Progent engineers and the client:
- In-house web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was brought online and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the user workstations were being used by staff.
"A huge amount of what transpired those first few days is nearly entirely a blur for me, but my management will not forget the care each and every one of your team put in to give us our business back. I have trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a life saver."
A likely business extinction catastrophe was evaded due to dedicated experts, a wide range of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here could have been stopped with modern cyber security solutions and ISO/IEC 27001 best practices, team training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of professionals has substantial experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for allowing me to get some sleep after we got through the most critical parts. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Birmingham a range of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include modern AI capability to detect zero-day variants of crypto-ransomware that can get past traditional signature-based anti-virus solutions.
For Birmingham 24x7x365 Crypto Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup operations and allow non-disruptive backup and fast restoration of critical files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further layer of inspection for inbound email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, track, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that need critical updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so any looming problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
- Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning tools to defend endpoints as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely evade traditional signature-matching AV tools. Progent ASM services protect on-premises and cloud resources and provides a single platform to manage the entire malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Service Center: Call Center Managed Services
Progent's Support Center services enable your IT staff to outsource Support Desk services to Progent or split activity for support services transparently between your in-house support team and Progent's nationwide pool of IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your internal network support resources. Client interaction with the Service Desk, delivery of support services, problem escalation, trouble ticket generation and updates, performance measurement, and management of the service database are cohesive regardless of whether incidents are resolved by your internal support staff, by Progent, or both. Learn more about Progent's outsourced/co-managed Call Desk services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable solution for evaluating, validating, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to maximizing the security and reliability of your computer network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business initiatives and activities that derive the highest business value from your information network. Find out more about Progent's patch management support services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports single-tap identity verification on iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a secured online account and enter your password you are requested to confirm your identity on a unit that only you have and that uses a separate network channel. A wide selection of devices can be used as this second means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register multiple verification devices. For details about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
- ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
ProSight Reporting is a growing suite of real-time and in-depth reporting tools created to work with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.