Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for organizations unprepared for an attack. Versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause harm. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent as yet unnamed newcomers, not only encrypt online files but also infect all configured system backups. Information synched to cloud environments can also be encrypted. In a poorly designed system, this can make any restoration impossible and basically sets the network back to square one.
Getting back online applications and information following a ransomware event becomes a race against time as the targeted organization fights to contain and remove the ransomware and to resume mission-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are often sprung on weekends, when successful penetrations typically take more time to uncover. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.
Progent has a variety of solutions for protecting enterprises from ransomware penetrations. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with machine learning technology to automatically discover and quarantine new cyber attacks. Progent also provides the assistance of veteran ransomware recovery consultants with the skills and commitment to re-deploy a breached network as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the codes to decrypt all your information. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the essential components of your IT environment. Without access to full information backups, this calls for a broad complement of skills, professional team management, and the capability to work continuously until the job is completed.
For twenty years, Progent has offered professional IT services for companies in Broomfield and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise gives Progent the skills to efficiently ascertain necessary systems and integrate the surviving parts of your IT system following a ransomware event and assemble them into a functioning system.
Progent's ransomware group has state-of-the-art project management tools to orchestrate the sophisticated restoration process. Progent appreciates the importance of working rapidly and in unison with a customerís management and IT team members to prioritize tasks and to put critical systems back online as soon as possible.
Client Case Study: A Successful Ransomware Penetration Restoration
A small business sought out Progent after their network system was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, possibly using approaches leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk event had frozen all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for the best, but in the end engaged Progent.
"I cannot say enough in regards to the care Progent gave us during the most stressful time of (our) companyís existence. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent group provided us. The fact that you could get our e-mail system and essential servers back faster than seven days was something I thought impossible. Every single person I talked with or communicated with at Progent was urgently focused on getting us operational and was working non-stop to bail us out."
Progent worked together with the client to quickly determine and prioritize the key elements that had to be addressed to make it possible to continue company functions:
To get going, Progent followed Anti-virus penetration mitigation industry best practices by isolating and removing active viruses. Progent then started the task of bringing back online Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft technology. Exchange messaging will not operate without AD, and the customerís accounting and MRP applications used Microsoft SQL Server, which requires Active Directory for security authorization to the database.
- Active Directory (AD)
In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then helped perform setup and storage recovery on the most important applications. All Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Data Files) on team workstations and laptops to recover email messages. A not too old offline backup of the client's accounting/ERP systems made them able to restore these required applications back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk attack, essential services were restored rapidly:
"For the most part, the assembly line operation was never shut down and we delivered all customer deliverables."
Throughout the following few weeks important milestones in the restoration project were achieved in close collaboration between Progent consultants and the customer:
- In-house web sites were restored with no loss of data.
- The MailStore Server exceeding four million archived emails was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 firewall was installed and configured.
- Ninety percent of the desktops and laptops were operational.
"So much of what was accomplished those first few days is mostly a haze for me, but my team will not forget the dedication each of the team accomplished to help get our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This event was a Herculean accomplishment."
A probable company-ending disaster was averted with results-oriented experts, a broad range of IT skills, and close collaboration. Although in retrospect the crypto-ransomware virus penetration described here should have been identified and prevented with up-to-date security systems and NIST Cybersecurity Framework best practices, team education, and properly executed security procedures for information backup and applying software patches, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thanks very much for making it so I could get some sleep after we made it through the first week. Everyone did an incredible effort, and if anyone is around the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Broomfield a variety of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services include modern machine learning capability to uncover new strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.
For Broomfield 24/7 Ransomware Removal Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the complete threat lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate action. Progent's consultants can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. For a fixed monthly price, ProSight DPS automates and monitors your backup activities and enables fast recovery of critical data, apps and virtual machines that have become unavailable or corrupted as a result of component failures, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can provide world-class support to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your business-critical information. Learn more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to provide web-based control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, enhance and troubleshoot their networking hardware such as switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that require important updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT personnel and your Progent consultant so that any looming issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.