Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an existential danger for organizations vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus more unnamed viruses, not only encrypt on-line critical data but also infect any available system protection. Data replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can make automated restoration impossible and effectively knocks the entire system back to square one.
Retrieving services and information following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted business fights to stop the spread and eradicate the ransomware and to resume enterprise-critical operations. Since crypto-ransomware takes time to replicate, attacks are usually sprung during nights and weekends, when attacks tend to take longer to identify. This multiplies the difficulty of rapidly assembling and organizing a knowledgeable response team.
Progent has a variety of help services for securing enterprises from crypto-ransomware events. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with artificial intelligence technology to rapidly identify and quarantine new cyber threats. Progent in addition can provide the services of seasoned crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a breached environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to unencrypt all your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the vital components of your Information Technology environment. Absent the availability of essential data backups, this requires a wide range of skills, top notch project management, and the willingness to work 24x7 until the recovery project is finished.
For twenty years, Progent has made available expert IT services for companies in Cambridge and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise provides Progent the capability to efficiently ascertain important systems and re-organize the surviving components of your network environment after a crypto-ransomware attack and assemble them into a functioning system.
Progent's recovery team of experts deploys state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent knows the urgency of working quickly and in unison with a client's management and IT team members to assign priority to tasks and to get essential services back on line as fast as humanly possible.
Business Case Study: A Successful Ransomware Virus Response
A customer escalated to Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, possibly using technology leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most profitable versions of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with around 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end utilized Progent.
"I cannot say enough in regards to the help Progent provided us throughout the most fearful period of (our) companyís life. We most likely would have paid the hackers behind this attack except for the confidence the Progent team provided us. That you were able to get our messaging and important applications back online in less than a week was earth shattering. Every single expert I talked with or texted at Progent was totally committed on getting us restored and was working at all hours on our behalf."
Progent worked hand in hand the client to rapidly understand and assign priority to the critical applications that had to be restored in order to restart departmental functions:
To get going, Progent followed ransomware penetration response industry best practices by stopping lateral movement and performing virus removal steps. Progent then began the process of restoring Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customerís accounting and MRP applications utilized SQL Server, which depends on Active Directory for security authorization to the databases.
- Active Directory (AD)
- Microsoft Exchange Server
- MRP System
Within 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then completed reinstallations and hard drive recovery on mission critical servers. All Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Off-Line Data Files) on various workstations to recover mail information. A recent offline backup of the customerís financials/MRP software made it possible to restore these vital applications back online for users. Although a large amount of work was left to recover completely from the Ryuk event, core systems were restored quickly:
"For the most part, the production line operation did not miss a beat and we delivered all customer deliverables."
Throughout the following month important milestones in the restoration project were completed through close cooperation between Progent engineers and the client:
- Internal web applications were restored without losing any data.
- The MailStore Exchange Server exceeding 4 million historical messages was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
- A new Palo Alto 850 firewall was set up and programmed.
- 90% of the desktop computers were operational.
"So much of what transpired during the initial response is nearly entirely a haze for me, but our team will not forget the care each of your team accomplished to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and every time Progent has shined and delivered. This time was a stunning achievement."
A likely business-killing catastrophe was averted through the efforts of dedicated experts, a wide spectrum of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware incident described here could have been disabled with advanced security systems and ISO/IEC 27001 best practices, user training, and appropriate security procedures for data protection and proper patching controls, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), Iím grateful for making it so I could get rested after we got past the initial push. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Cambridge a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include next-generation artificial intelligence capability to uncover zero-day variants of ransomware that can get past legacy signature-based security solutions.
For Cambridge 24x7 Crypto Removal Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to manage the entire threat progression including protection, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with government and industry data protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup operations and allow transparent backup and fast recovery of important files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security companies to deliver centralized management and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper level of inspection for incoming email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, optimize and troubleshoot their connectivity appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that need important updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the state of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT staff and your Progent consultant so that any potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate up to half of time wasted looking for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
- Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning tools to defend endpoints and physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-based anti-virus products. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to address the entire malware attack progression including blocking, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Help Center managed services allow your information technology group to offload Support Desk services to Progent or split activity for Help Desk services seamlessly between your internal network support team and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SBEs). Progent's Co-managed Help Desk Service offers a transparent supplement to your internal support staff. Client access to the Service Desk, provision of technical assistance, escalation, ticket generation and updates, efficiency measurement, and management of the support database are consistent regardless of whether issues are resolved by your internal IT support resources, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Software/Firmware Update Management Services
Progent's managed services for software and firmware patch management offer organizations of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. In addition to optimizing the protection and reliability of your computer environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that derive maximum business value from your network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, when you log into a secured application and give your password you are requested to confirm who you are on a unit that only you have and that uses a separate network channel. A wide range of devices can be utilized as this second means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may designate several verification devices. To learn more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication (2FA) services for access security.