Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that represents an extinction-level threat for organizations vulnerable to an attack. Different iterations of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict harm. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with daily unnamed malware, not only encrypt on-line critical data but also infiltrate many configured system restores and backups. Information synchronized to cloud environments can also be rendered useless. In a poorly architected environment, it can make automatic recovery useless and basically sets the network back to zero.
Getting back programs and information after a ransomware intrusion becomes a race against time as the victim struggles to stop lateral movement and cleanup the ransomware and to resume enterprise-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are usually launched at night, when penetrations typically take longer to detect. This multiplies the difficulty of promptly marshalling and organizing an experienced response team.
Progent makes available an assortment of support services for securing organizations from crypto-ransomware events. These include team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with machine learning technology to automatically detect and suppress new threats. Progent in addition provides the services of veteran ransomware recovery consultants with the track record and commitment to restore a compromised network as urgently as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the needed codes to unencrypt all your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the critical elements of your Information Technology environment. Without access to full data backups, this requires a broad range of IT skills, professional project management, and the willingness to work continuously until the task is finished.
For two decades, Progent has provided certified expert Information Technology services for companies in Charleston and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise affords Progent the capability to rapidly understand important systems and organize the surviving components of your network system after a ransomware penetration and configure them into a functioning system.
Progent's security team of experts deploys state-of-the-art project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of acting rapidly and together with a customerís management and IT team members to assign priority to tasks and to put essential applications back online as fast as humanly possible.
Customer Story: A Successful Ransomware Intrusion Recovery
A small business contacted Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored hackers, suspected of adopting techniques leaked from the United States NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is one of the most profitable incarnations of ransomware malware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk event had frozen all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end brought in Progent.
"I cannot speak enough about the support Progent provided us during the most stressful time of (our) companyís survival. We most likely would have paid the cyber criminals except for the confidence the Progent group gave us. That you could get our e-mail system and important servers back on-line sooner than five days was something I thought impossible. Each consultant I got help from or messaged at Progent was amazingly focused on getting our system up and was working breakneck pace on our behalf."
Progent worked hand in hand the client to rapidly assess and assign priority to the critical areas that needed to be addressed in order to continue departmental functions:
To start, Progent adhered to AV/Malware Processes event response industry best practices by halting lateral movement and performing virus removal steps. Progent then began the steps of restoring Windows Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without AD, and the businessesí accounting and MRP software used SQL Server, which needs Active Directory for security authorization to the database.
- Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery of critical applications. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate local OST data files (Outlook Offline Folder Files) on team PCs in order to recover email messages. A recent off-line backup of the businesses accounting/MRP systems made them able to recover these vital services back available to users. Although major work was left to recover completely from the Ryuk event, core systems were restored rapidly:
"For the most part, the production operation did not miss a beat and we did not miss any customer shipments."
During the following few weeks critical milestones in the restoration process were completed through tight collaboration between Progent consultants and the client:
- Internal web sites were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were 100% operational.
- A new Palo Alto 850 firewall was brought online.
- Nearly all of the user PCs were operational.
"So much of what was accomplished in the initial days is nearly entirely a blur for me, but we will not soon forget the countless hours each of the team put in to give us our company back. I have entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A potential company-ending catastrophe was evaded by results-oriented experts, a wide spectrum of technical expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here would have been identified and disabled with current cyber security technology and security best practices, staff training, and appropriate security procedures for information backup and proper patching controls, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for making it so I could get some sleep after we made it past the first week. All of you did an amazing job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Charleston a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover new variants of ransomware that can escape detection by legacy signature-based anti-virus products.
For Charleston 24-7 Ransomware Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack lifecycle including protection, identification, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge tools incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your organization's unique needs and that allows you prove compliance with legal and industry data protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost and fully managed service for secure backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid recovery of critical data, apps and VMs that have become unavailable or corrupted due to component breakdowns, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup specialists can provide advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, and PCI and, when necessary, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide web-based management and comprehensive security for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, track, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating complex network management processes, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that need critical software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT staff and your Progent engineering consultant so that any potential issues can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.