Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyberplague that poses an existential danger for businesses vulnerable to an assault. Different versions of ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict havoc. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional as yet unnamed malware, not only do encryption of online critical data but also infiltrate any available system backup. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can make automated restoration useless and basically sets the network back to zero.
Getting back services and data after a ransomware attack becomes a race against time as the targeted business struggles to contain the damage and remove the ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to replicate, assaults are usually sprung at night, when penetrations tend to take longer to uncover. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.
Progent has a variety of services for securing organizations from ransomware penetrations. Among these are user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security appliances with AI capabilities to quickly detect and extinguish zero-day cyber attacks. Progent in addition provides the services of expert ransomware recovery consultants with the skills and perseverance to rebuild a breached system as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the codes to decipher any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to piece back together the mission-critical components of your IT environment. Absent access to complete information backups, this requires a broad range of IT skills, professional team management, and the willingness to work 24x7 until the recovery project is finished.
For decades, Progent has provided professional IT services for businesses in Bristol and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise provides Progent the ability to efficiently ascertain important systems and consolidate the surviving parts of your network system following a ransomware attack and rebuild them into an operational network.
Progent's recovery team uses state-of-the-art project management tools to coordinate the complex restoration process. Progent understands the importance of working swiftly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to get critical applications back on-line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Virus Restoration
A client sought out Progent after their organization was crashed by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state cybercriminals, possibly using strategies leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with little or no ability to sustain operational disruption and is among the most profitable instances of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk attack had disabled all company operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding $200,000) and hoping for good luck, but in the end made the decision to use Progent.
"I canít say enough about the help Progent gave us during the most stressful period of (our) businesses survival. We may have had to pay the cybercriminals if not for the confidence the Progent experts gave us. The fact that you could get our e-mail system and critical applications back on-line in less than five days was beyond my wildest dreams. Each expert I talked with or e-mailed at Progent was laser focused on getting us back on-line and was working at all hours on our behalf."
Progent worked hand in hand the customer to quickly determine and assign priority to the essential services that had to be addressed in order to restart business operations:
To get going, Progent adhered to ransomware penetration mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the process of rebuilding Windows Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customerís accounting and MRP software used Microsoft SQL, which depends on Active Directory for security authorization to the data.
- Microsoft Active Directory
- Electronic Mail
In less than two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then initiated rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Off-Line Folder Files) on user workstations and laptops in order to recover mail messages. A not too old off-line backup of the businesses financials/ERP software made it possible to restore these required services back online. Although a lot of work remained to recover completely from the Ryuk attack, the most important systems were returned to operations rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer orders."
Over the following month important milestones in the recovery process were accomplished through close cooperation between Progent engineers and the customer:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Server with over 4 million archived messages was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were completely recovered.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the desktop computers were fully operational.
"A huge amount of what transpired in the initial days is mostly a fog for me, but our team will not soon forget the commitment all of the team put in to give us our company back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This time was the most impressive ever."
A likely business-killing catastrophe was averted by dedicated experts, a broad spectrum of technical expertise, and tight teamwork. Although in post mortem the crypto-ransomware penetration described here would have been identified and disabled with up-to-date security technology and NIST Cybersecurity Framework best practices, staff training, and appropriate incident response procedures for information protection and applying software patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for making it so I could get some sleep after we got past the initial fire. Everyone did an incredible job, and if any of your team is visiting the Chicago area, dinner is my treat!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Bristol a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services include modern AI capability to uncover zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.
For Bristol 24x7x365 Crypto-Ransomware Repair Help, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a unified platform to manage the complete threat progression including blocking, detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that allows you prove compliance with legal and industry data protection standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid restoration of critical files, applications and VMs that have become lost or damaged due to component failures, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver advanced support to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to provide centralized control and comprehensive security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, enhance and troubleshoot their networking hardware such as routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent engineering consultant so all looming problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate as much as 50% of time wasted looking for vital information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about ProSight IT Asset Management service.