Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a modern cyberplague that represents an existential threat for businesses of all sizes unprepared for an assault. Different iterations of crypto-ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict havoc. More recent variants of ransomware like Ryuk and Hermes, plus frequent unnamed newcomers, not only do encryption of on-line information but also infect most configured system restores and backups. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, it can make automatic recovery hopeless and effectively knocks the entire system back to zero.
Recovering services and data following a crypto-ransomware intrusion becomes a race against time as the targeted organization tries its best to stop lateral movement and clear the ransomware and to restore enterprise-critical operations. Due to the fact that ransomware takes time to spread, attacks are usually sprung on weekends, when penetrations may take more time to discover. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable mitigation team.
Progent offers an assortment of services for securing businesses from ransomware penetrations. These include team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security solutions with machine learning capabilities to intelligently discover and disable day-zero cyber attacks. Progent in addition provides the services of experienced ransomware recovery professionals with the talent and perseverance to rebuild a breached network as urgently as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to unencrypt all your files. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the key parts of your IT environment. Without the availability of complete information backups, this requires a wide range of IT skills, top notch team management, and the willingness to work continuously until the job is finished.
For two decades, Progent has made available expert IT services for businesses in Cleveland and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise affords Progent the skills to quickly identify necessary systems and integrate the remaining pieces of your IT environment following a ransomware penetration and assemble them into an operational network.
Progent's recovery group uses best of breed project management tools to orchestrate the complex restoration process. Progent appreciates the importance of working swiftly and together with a customerís management and IT team members to prioritize tasks and to get essential services back on line as soon as possible.
Customer Story: A Successful Ransomware Incident Response
A business contacted Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state hackers, suspected of using strategies exposed from Americaís NSA organization. Ryuk attacks specific companies with little or no room for operational disruption and is one of the most lucrative versions of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago with about 500 workers. The Ryuk attack had paralyzed all company operations and manufacturing processes. The majority of the client's data backups had been online at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and praying for the best, but in the end brought in Progent.
"I canít say enough in regards to the expertise Progent provided us throughout the most stressful time of (our) businesses survival. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent group gave us. That you could get our messaging and key servers back into operation sooner than five days was incredible. Every single expert I got help from or messaged at Progent was urgently focused on getting us operational and was working at all hours to bail us out."
Progent worked with the client to quickly assess and prioritize the key systems that had to be recovered to make it possible to restart company functions:
To start, Progent adhered to Anti-virus event mitigation best practices by isolating and cleaning systems of viruses. Progent then began the process of restoring Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the client's accounting and MRP software used Microsoft SQL Server, which requires Active Directory services for security authorization to the databases.
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then initiated rebuilding and hard drive recovery on the most important servers. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on team PCs in order to recover mail information. A recent off-line backup of the businesses financials/ERP systems made them able to restore these vital programs back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, critical services were returned to operations quickly:
"For the most part, the manufacturing operation never missed a beat and we did not miss any customer shipments."
Throughout the next month key milestones in the recovery process were achieved in tight cooperation between Progent consultants and the client:
- Internal web applications were returned to operation without losing any data.
- The MailStore Server containing more than four million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully operational.
- A new Palo Alto 850 security appliance was brought on-line.
- 90% of the user desktops were operational.
"So much of what happened in the initial days is nearly entirely a fog for me, but I will not forget the dedication each and every one of your team accomplished to help get our business back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This situation was a testament to your capabilities."
A potential company-ending catastrophe was evaded by hard-working professionals, a broad range of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware incident described here could have been identified and stopped with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and properly executed security procedures for information backup and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for letting me get rested after we made it through the initial fire. All of you did an fabulous effort, and if anyone is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Cleveland a range of online monitoring and security evaluation services to help you to reduce the threat from ransomware. These services include next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that can evade legacy signature-based anti-virus solutions.
For 24x7x365 Cleveland Crypto Remediation Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight ASM protects local and cloud resources and provides a single platform to manage the complete malware attack lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services deliver economical in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables fast recovery of vital data, applications and VMs that have become unavailable or corrupted as a result of hardware failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security companies to deliver web-based control and world-class protection for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device provides a further level of inspection for inbound email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, track, reconfigure and debug their networking appliances like routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that require critical updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT personnel and your assigned Progent consultant so that any potential issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can save up to 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require when you need it. Learn more about ProSight IT Asset Management service.