Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyber pandemic that represents an enterprise-level danger for businesses vulnerable to an assault. Multiple generations of ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as frequent unnamed viruses, not only do encryption of online files but also infiltrate many configured system protection mechanisms. Information replicated to the cloud can also be ransomed. In a poorly designed system, it can render automated recovery impossible and basically sets the entire system back to square one.
Getting back online services and information following a ransomware attack becomes a sprint against time as the victim struggles to stop the spread and cleanup the ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware requires time to replicate, attacks are usually sprung on weekends and holidays, when attacks tend to take more time to detect. This compounds the difficulty of promptly mobilizing and orchestrating an experienced response team.
Progent makes available a range of help services for securing enterprises from ransomware events. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with machine learning capabilities to intelligently detect and suppress day-zero cyber threats. Progent in addition can provide the services of experienced ransomware recovery professionals with the skills and perseverance to restore a compromised system as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decipher all your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the critical elements of your Information Technology environment. Without the availability of full data backups, this requires a broad complement of skill sets, top notch project management, and the capability to work 24x7 until the recovery project is done.
For two decades, Progent has provided certified expert IT services for companies in Campinas and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly ascertain critical systems and re-organize the remaining components of your Information Technology environment following a ransomware attack and configure them into an operational network.
Progent's security team of experts has top notch project management tools to coordinate the sophisticated restoration process. Progent knows the urgency of working rapidly and together with a client's management and Information Technology team members to assign priority to tasks and to get key applications back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Attack Restoration
A business escalated to Progent after their network was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, possibly using techniques leaked from the U.S. National Security Agency. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most lucrative incarnations of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has about 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the attack and were destroyed. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.
"I cannot speak enough about the help Progent provided us throughout the most critical time of (our) companyís existence. We most likely would have paid the criminal gangs if it wasnít for the confidence the Progent team gave us. The fact that you could get our messaging and key applications back in less than seven days was incredible. Every single consultant I worked with or communicated with at Progent was hell bent on getting us working again and was working all day and night to bail us out."
Progent worked hand in hand the client to quickly understand and prioritize the mission critical areas that had to be restored in order to restart business operations:
To get going, Progent followed Anti-virus incident mitigation industry best practices by isolating and disinfecting systems. Progent then initiated the steps of rebuilding Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the customerís accounting and MRP software utilized SQL Server, which needs Windows AD for security authorization to the databases.
- Windows Active Directory
- Electronic Messaging
- MRP System
In less than 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated reinstallations and storage recovery on mission critical systems. All Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on various desktop computers and laptops in order to recover email information. A not too old off-line backup of the businesses accounting/ERP software made them able to return these required services back on-line. Although significant work remained to recover totally from the Ryuk virus, essential services were restored quickly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer orders."
Over the next couple of weeks critical milestones in the recovery project were completed in close collaboration between Progent team members and the customer:
- In-house web applications were restored without losing any data.
- The MailStore Exchange Server exceeding four million archived emails was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- 90% of the desktop computers were functioning as before the incident.
"A huge amount of what happened in the initial days is nearly entirely a haze for me, but my team will not forget the care each of your team put in to give us our business back. Iíve been working with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was the most impressive ever."
A likely enterprise-killing disaster was avoided through the efforts of dedicated professionals, a wide range of knowledge, and tight teamwork. Although in post mortem the ransomware virus penetration detailed here would have been stopped with advanced security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we made it past the first week. All of you did an impressive effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Campinas a range of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning technology to detect new variants of ransomware that can escape detection by legacy signature-based security solutions.
For Campinas 24x7x365 Crypto-Ransomware Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the complete malware attack progression including blocking, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. For a low monthly price, ProSight DPS automates your backup processes and allows fast recovery of critical files, apps and virtual machines that have become lost or damaged as a result of hardware failures, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR consultants can provide world-class support to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your critical data. Find out more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security companies to deliver web-based management and comprehensive security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of inspection for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, monitor, enhance and troubleshoot their networking hardware like switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, locating appliances that require important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management personnel and your Progent engineering consultant so all looming issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can save as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.