Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an existential danger for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for many years and still cause havoc. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, as well as more as yet unnamed malware, not only do encryption of on-line information but also infiltrate many configured system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, it can render automatic restore operations impossible and basically sets the network back to zero.
Getting back on-line applications and data after a ransomware intrusion becomes a sprint against the clock as the victim struggles to stop lateral movement and clear the ransomware and to resume mission-critical operations. Due to the fact that ransomware takes time to replicate, penetrations are usually sprung during weekends and nights, when attacks are likely to take longer to identify. This compounds the difficulty of quickly mobilizing and coordinating an experienced mitigation team.
Progent has an assortment of services for securing enterprises from ransomware penetrations. These include team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with artificial intelligence technology to intelligently detect and suppress new cyber threats. Progent also offers the assistance of expert crypto-ransomware recovery consultants with the talent and commitment to rebuild a compromised environment as soon as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the keys to unencrypt all your data. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the vital components of your IT environment. Absent the availability of full information backups, this requires a broad range of IT skills, professional team management, and the willingness to work non-stop until the job is over.
For twenty years, Progent has made available professional Information Technology services for businesses in Birmingham and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the ability to knowledgably ascertain important systems and organize the surviving pieces of your Information Technology environment following a ransomware penetration and rebuild them into a functioning network.
Progent's ransomware team of experts utilizes top notch project management tools to orchestrate the complex recovery process. Progent appreciates the importance of acting quickly and together with a customerís management and IT team members to prioritize tasks and to get the most important services back on-line as soon as humanly possible.
Customer Story: A Successful Ransomware Intrusion Response
A business hired Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored hackers, possibly adopting approaches exposed from Americaís NSA organization. Ryuk goes after specific organizations with limited room for operational disruption and is among the most profitable iterations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago and has around 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and praying for the best, but ultimately utilized Progent.
"I canít say enough about the care Progent gave us throughout the most fearful time of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent experts afforded us. That you could get our messaging and essential applications back online sooner than 1 week was amazing. Every single expert I talked with or messaged at Progent was urgently focused on getting us operational and was working day and night to bail us out."
Progent worked together with the customer to rapidly assess and assign priority to the mission critical services that needed to be recovered in order to resume company functions:
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the steps of bringing back online Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the customerís accounting and MRP applications utilized Microsoft SQL, which depends on Active Directory services for access to the data.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to recover Active Directory services to its pre-penetration state. Progent then initiated reinstallations and hard drive recovery on critical servers. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Data Files) on staff workstations in order to recover email data. A recent offline backup of the customerís financials/MRP software made it possible to return these required services back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk virus, critical systems were recovered quickly:
"For the most part, the production line operation did not miss a beat and we made all customer orders."
During the next few weeks important milestones in the recovery process were completed through tight collaboration between Progent consultants and the client:
- In-house web applications were returned to operation with no loss of information.
- The MailStore Exchange Server exceeding four million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto 850 firewall was installed and configured.
- Nearly all of the desktops and laptops were being used by staff.
"A huge amount of what transpired those first few days is nearly entirely a blur for me, but my team will not forget the urgency each of the team put in to help get our business back. I have been working with Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This time was a life saver."
A probable business extinction disaster was evaded by dedicated professionals, a broad spectrum of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here could have been prevented with up-to-date security systems and security best practices, team training, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of experts has a proven track record in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get rested after we made it past the initial push. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Birmingham a range of online monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation AI capability to detect zero-day strains of ransomware that are able to evade traditional signature-based security solutions.
For 24x7x365 Birmingham Crypto Removal Consultants, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire threat lifecycle including blocking, identification, mitigation, remediation, and forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent's consultants can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly price, ProSight Data Protection Services automates your backup processes and enables fast recovery of critical files, applications and VMs that have become unavailable or damaged due to hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to provide centralized management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and debug their networking hardware like routers, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating devices that need important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management technology to keep your network operating at peak levels by checking the state of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management staff and your Progent consultant so that all looming issues can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and managing your network documentation, you can save up to 50% of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.