Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations vulnerable to an assault. Versions of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus daily as yet unnamed viruses, not only encrypt online data files but also infect many configured system restores and backups. Data synched to the cloud can also be ransomed. In a vulnerable data protection solution, it can make automatic restore operations useless and basically knocks the entire system back to zero.
Getting back online applications and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop the spread and clear the ransomware and to resume business-critical operations. Because crypto-ransomware requires time to move laterally, assaults are frequently sprung on weekends and holidays, when attacks are likely to take more time to uncover. This multiplies the difficulty of promptly assembling and coordinating a capable mitigation team.
Progent makes available an assortment of services for protecting organizations from crypto-ransomware events. These include team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with artificial intelligence capabilities to rapidly discover and extinguish day-zero cyber threats. Progent in addition provides the services of veteran crypto-ransomware recovery engineers with the skills and perseverance to rebuild a breached system as quickly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed keys to unencrypt any or all of your data. Kaspersky determined that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the essential parts of your Information Technology environment. Absent the availability of essential system backups, this requires a wide range of skill sets, well-coordinated team management, and the ability to work 24x7 until the recovery project is done.
For twenty years, Progent has made available professional IT services for businesses in Boise and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the skills to quickly ascertain necessary systems and organize the surviving components of your computer network environment after a ransomware penetration and rebuild them into a functioning network.
Progent's ransomware team utilizes top notch project management tools to orchestrate the complex restoration process. Progent knows the urgency of working swiftly and in unison with a customerís management and IT team members to assign priority to tasks and to get critical applications back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Penetration Response
A client engaged Progent after their company was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, possibly using approaches leaked from the U.S. National Security Agency. Ryuk targets specific organizations with limited tolerance for disruption and is one of the most lucrative incarnations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but in the end engaged Progent.
"I canít say enough in regards to the help Progent provided us throughout the most stressful time of (our) companyís existence. We most likely would have paid the hackers behind this attack if not for the confidence the Progent experts gave us. That you could get our messaging and production applications back on-line faster than one week was incredible. Every single person I spoke to or messaged at Progent was hell bent on getting us working again and was working all day and night to bail us out."
Progent worked with the client to quickly assess and prioritize the most important applications that needed to be recovered to make it possible to resume business operations:
To get going, Progent adhered to ransomware event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then started the task of rebuilding Microsoft Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the customerís financials and MRP software used Microsoft SQL Server, which needs Windows AD for access to the data.
- Active Directory (AD)
- Microsoft Exchange
- MRP System
In less than 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then helped perform setup and storage recovery on critical systems. All Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Folder Files) on staff workstations and laptops in order to recover email information. A recent off-line backup of the client's financials/ERP software made them able to recover these required services back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk damage, essential services were restored quickly:
"For the most part, the production manufacturing operation was never shut down and we delivered all customer sales."
Throughout the following month critical milestones in the recovery process were made in close cooperation between Progent consultants and the client:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Microsoft Exchange Server with over four million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100% operational.
- A new Palo Alto Networks 850 firewall was deployed.
- Ninety percent of the user PCs were fully operational.
"A huge amount of what happened in the initial days is mostly a haze for me, but I will not forget the commitment each of your team accomplished to help get our company back. Iíve trusted Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This time was a life saver."
A potential business catastrophe was evaded with top-tier experts, a broad spectrum of knowledge, and tight teamwork. Although in retrospect the ransomware attack detailed here should have been identified and stopped with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), Iím grateful for letting me get some sleep after we got past the initial fire. Everyone did an amazing job, and if anyone is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Boise a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate modern machine learning technology to detect zero-day variants of ransomware that can escape detection by legacy signature-based anti-virus solutions.
For 24-Hour Boise CryptoLocker Remediation Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight ASM protects local and cloud-based resources and offers a single platform to manage the entire threat progression including protection, identification, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate action. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery Services
Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and enable transparent backup and rapid restoration of critical files, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by equipment failures, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned insiders, or software bugs. Managed services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to deliver centralized management and world-class security for all your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, enhance and troubleshoot their networking appliances like switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding devices that need critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management staff and your Progent engineering consultant so that all looming problems can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based analysis technology to guard endpoints and servers and VMs against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching AV tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to automate the complete threat lifecycle including filtering, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
Progent's Support Center managed services allow your IT team to outsource Call Center services to Progent or split activity for support services transparently between your internal network support resources and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent extension of your corporate IT support organization. End user interaction with the Service Desk, provision of support services, escalation, ticket generation and tracking, performance metrics, and management of the service database are cohesive whether incidents are taken care of by your in-house support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a flexible and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. Besides maximizing the security and reliability of your computer network, Progent's patch management services permit your in-house IT team to concentrate on more strategic projects and activities that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management services.