Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses vulnerable to an assault. Versions of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause destruction. Modern strains of ransomware such as Ryuk and Hermes, as well as frequent unnamed newcomers, not only encrypt on-line information but also infiltrate most accessible system backup. Files synchronized to cloud environments can also be rendered useless. In a poorly designed environment, it can make automated recovery impossible and basically sets the datacenter back to square one.
Getting back applications and data following a crypto-ransomware attack becomes a race against time as the targeted business struggles to contain the damage and cleanup the crypto-ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are often launched during weekends and nights, when penetrations tend to take longer to uncover. This compounds the difficulty of promptly mobilizing and orchestrating a qualified mitigation team.
Progent has a range of services for protecting businesses from crypto-ransomware events. These include user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence capabilities to intelligently discover and extinguish zero-day cyber threats. Progent also can provide the assistance of expert ransomware recovery engineers with the skills and commitment to re-deploy a compromised network as urgently as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to decipher any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the vital components of your IT environment. Without access to full system backups, this calls for a broad complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the task is done.
For two decades, Progent has made available professional Information Technology services for businesses in Birmingham and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to quickly determine critical systems and integrate the surviving components of your network environment following a crypto-ransomware event and configure them into an operational network.
Progent's ransomware group uses best of breed project management applications to orchestrate the complicated recovery process. Progent understands the urgency of working quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put essential services back online as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Recovery
A small business contacted Progent after their network system was brought down by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, suspected of using approaches leaked from the U.S. National Security Agency. Ryuk targets specific businesses with limited room for disruption and is among the most lucrative incarnations of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot speak enough about the care Progent provided us during the most stressful period of (our) companyís existence. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our messaging and essential applications back into operation in less than one week was amazing. Each consultant I got help from or messaged at Progent was hell bent on getting us back online and was working 24/7 on our behalf."
Progent worked with the customer to quickly get our arms around and prioritize the critical areas that needed to be recovered in order to resume departmental operations:
To begin, Progent followed AV/Malware Processes incident mitigation best practices by halting the spread and disinfecting systems. Progent then started the work of recovering Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the client's accounting and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory services for security authorization to the database.
- Windows Active Directory
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and storage recovery on essential systems. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Folder Files) on various workstations to recover email messages. A not too old offline backup of the client's accounting/ERP systems made it possible to recover these required services back servicing users. Although major work remained to recover totally from the Ryuk virus, essential services were restored rapidly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer deliverables."
Over the next month critical milestones in the recovery process were completed in close cooperation between Progent consultants and the customer:
- Internal web applications were restored without losing any data.
- The MailStore Server exceeding 4 million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely restored.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the desktop computers were being used by staff.
"Much of what occurred that first week is mostly a blur for me, but my team will not soon forget the dedication all of your team accomplished to help get our business back. I have utilized Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered. This time was a life saver."
A likely company-ending catastrophe was dodged by dedicated professionals, a wide array of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here would have been stopped with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has substantial experience in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), Iím grateful for making it so I could get some sleep after we got through the most critical parts. All of you did an amazing job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Birmingham a portfolio of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate modern machine learning capability to uncover new variants of ransomware that can evade traditional signature-based security products.
For 24-Hour Birmingham Crypto-Ransomware Repair Consultants, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the entire malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within one agent managed from a unified control. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP deployment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost end-to-end solution for secure backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of critical files, apps and virtual machines that have become lost or damaged as a result of hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can assist you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, track, enhance and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are always current, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that need important updates, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.