Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an existential threat for organizations unprepared for an assault. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause destruction. Newer variants of crypto-ransomware like Ryuk and Hermes, plus more as yet unnamed viruses, not only encrypt online files but also infect many available system restores and backups. Information synchronized to the cloud can also be corrupted. In a vulnerable environment, this can make any restore operations hopeless and effectively sets the network back to square one.
Recovering applications and information following a crypto-ransomware intrusion becomes a sprint against the clock as the victim struggles to contain the damage and remove the ransomware and to resume mission-critical operations. Since ransomware requires time to move laterally, attacks are frequently launched during weekends and nights, when successful attacks may take longer to uncover. This compounds the difficulty of promptly marshalling and orchestrating an experienced response team.
Progent offers an assortment of support services for securing enterprises from ransomware events. These include team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security appliances with machine learning technology to automatically discover and quarantine day-zero cyber attacks. Progent also provides the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to reconstruct a breached environment as soon as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the codes to decipher any of your data. Kaspersky determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Without the availability of full data backups, this calls for a wide range of skill sets, well-coordinated project management, and the ability to work continuously until the recovery project is complete.
For twenty years, Progent has provided expert IT services for companies in Chattanooga and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise gives Progent the capability to quickly determine important systems and organize the surviving parts of your IT system following a crypto-ransomware event and configure them into an operational system.
Progent's ransomware team utilizes powerful project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and together with a client's management and IT staff to assign priority to tasks and to get critical services back online as fast as humanly possible.
Client Story: A Successful Ransomware Penetration Recovery
A customer engaged Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most profitable examples of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.
"I canít speak enough in regards to the support Progent gave us throughout the most critical period of (our) companyís life. We had little choice but to pay the criminal gangs if not for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and essential servers back into operation faster than seven days was incredible. Every single person I worked with or e-mailed at Progent was totally committed on getting us operational and was working 24/7 to bail us out."
Progent worked with the client to quickly assess and prioritize the most important areas that had to be addressed to make it possible to continue departmental operations:
To start, Progent followed Anti-virus penetration response best practices by halting lateral movement and removing active viruses. Progent then started the task of recovering Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the customerís financials and MRP system used SQL Server, which needs Active Directory services for security authorization to the data.
- Active Directory
- Electronic Mail
Within 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then accomplished setup and storage recovery of the most important applications. All Exchange schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to find local OST data files (Outlook Offline Data Files) on various PCs to recover mail data. A not too old offline backup of the businesses accounting/MRP software made it possible to return these required applications back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, essential systems were restored rapidly:
"For the most part, the production line operation ran fairly normal throughout and we made all customer sales."
Throughout the next couple of weeks important milestones in the restoration project were made in tight collaboration between Progent team members and the customer:
- Internal web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100% functional.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Most of the desktops and laptops were being used by staff.
"So much of what happened in the early hours is mostly a haze for me, but we will not soon forget the countless hours each of the team accomplished to give us our business back. I have been working with Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This event was no exception but maybe more Herculean."
A likely business extinction disaster was avoided by results-oriented experts, a broad array of knowledge, and tight teamwork. Although in hindsight the ransomware incident detailed here could have been blocked with modern cyber security systems and ISO/IEC 27001 best practices, staff education, and appropriate incident response procedures for data protection and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thank you for making it so I could get some sleep after we made it past the initial push. All of you did an amazing effort, and if anyone is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Chattanooga a portfolio of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services utilize modern machine learning capability to uncover new variants of ransomware that can get past traditional signature-based security solutions.
For Chattanooga 24/7/365 Ransomware Repair Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates and monitors your backup activities and enables rapid recovery of critical files, applications and VMs that have become unavailable or corrupted as a result of component failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide web-based control and world-class security for all your inbound and outbound email. The hybrid structure of Email Guard combines cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper layer of analysis for incoming email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, monitor, enhance and debug their networking hardware like switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating devices that require important updates, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management staff and your assigned Progent consultant so that all looming issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can eliminate up to half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.