Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level threat for organizations unprepared for an assault. Versions of ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause harm. More recent variants of ransomware like Ryuk and Hermes, along with daily as yet unnamed viruses, not only encrypt on-line files but also infiltrate all configured system backups. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed system, it can render any restoration hopeless and basically sets the entire system back to zero.
Getting back applications and information after a ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and eradicate the ransomware and to restore business-critical activity. Because ransomware takes time to spread, penetrations are frequently launched during nights and weekends, when attacks in many cases take longer to discover. This compounds the difficulty of promptly mobilizing and coordinating an experienced response team.
Progent makes available an assortment of help services for protecting businesses from ransomware penetrations. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security gateways with artificial intelligence capabilities to rapidly detect and disable day-zero cyber attacks. Progent also can provide the services of seasoned crypto-ransomware recovery professionals with the talent and commitment to reconstruct a breached system as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the needed codes to decipher any of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the mission-critical elements of your IT environment. Without the availability of essential data backups, this requires a wide range of IT skills, top notch project management, and the willingness to work 24x7 until the recovery project is done.
For decades, Progent has made available professional IT services for businesses in Columbus and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of expertise gives Progent the skills to quickly determine important systems and consolidate the remaining pieces of your Information Technology system after a ransomware attack and assemble them into a functioning system.
Progent's security team of experts uses best of breed project management systems to orchestrate the complex recovery process. Progent knows the urgency of acting quickly and together with a client's management and IT resources to assign priority to tasks and to put the most important applications back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Virus Response
A business engaged Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk attacks specific companies with limited room for disruption and is one of the most lucrative examples of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area and has around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.
"I canít tell you enough about the care Progent gave us during the most stressful period of (our) companyís survival. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent group afforded us. That you were able to get our messaging and critical applications back quicker than one week was incredible. Each person I interacted with or e-mailed at Progent was urgently focused on getting our company operational and was working 24 by 7 on our behalf."
Progent worked together with the customer to rapidly determine and prioritize the essential applications that needed to be addressed in order to resume departmental functions:
To start, Progent followed ransomware penetration response best practices by halting the spread and disinfecting systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's accounting and MRP system used SQL Server, which needs Active Directory services for access to the information.
- Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery of the most important servers. All Exchange data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover email messages. A not too old off-line backup of the client's accounting/MRP systems made it possible to restore these vital programs back online. Although significant work remained to recover totally from the Ryuk attack, essential systems were recovered rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer sales."
During the next month key milestones in the recovery project were achieved in tight collaboration between Progent engineers and the client:
- In-house web sites were returned to operation with no loss of information.
- The MailStore Server with over 4 million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely operational.
- A new Palo Alto 850 security appliance was brought online.
- Nearly all of the user desktops were functioning as before the incident.
"So much of what occurred in the early hours is nearly entirely a fog for me, but my team will not forget the care each and every one of you put in to help get our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was a life saver."
A possible business extinction disaster was averted due to hard-working experts, a broad range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here should have been identified and blocked with current cyber security systems and security best practices, team training, and appropriate incident response procedures for data protection and applying software patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, removal, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get some sleep after we got over the initial push. Everyone did an amazing effort, and if anyone is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer story, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Columbus a portfolio of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services include next-generation machine learning capability to detect zero-day strains of ransomware that are able to evade legacy signature-based security solutions.
For Columbus 24/7 Crypto-Ransomware Remediation Consultants, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to manage the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies packaged within one agent accessible from a unified console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that meets your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent's consultants can also help you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. For a low monthly cost, ProSight DPS automates and monitors your backup activities and enables fast restoration of vital data, apps and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery specialists can provide world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPPA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based control and world-class protection for your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of analysis for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating complex network management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that require critical software patches, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network running at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management personnel and your Progent consultant so all potential issues can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.