Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an existential threat for businesses unprepared for an assault. Multiple generations of ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with more unnamed newcomers, not only encrypt on-line data files but also infect many accessible system backup. Files synched to the cloud can also be rendered useless. In a poorly architected system, it can render automatic restore operations hopeless and basically sets the datacenter back to zero.
Retrieving programs and information following a ransomware attack becomes a sprint against time as the targeted organization tries its best to contain and remove the ransomware and to resume business-critical operations. Since ransomware needs time to replicate, penetrations are frequently launched on weekends, when attacks may take more time to recognize. This compounds the difficulty of promptly marshalling and coordinating a knowledgeable mitigation team.
Progent offers a range of services for protecting businesses from ransomware penetrations. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security solutions with artificial intelligence technology to intelligently detect and disable day-zero threats. Progent in addition can provide the services of experienced crypto-ransomware recovery professionals with the skills and commitment to restore a breached system as rapidly as possible.
Progent's Ransomware Restoration Help
After a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the keys to unencrypt any of your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to setup from scratch the essential elements of your Information Technology environment. Without the availability of essential information backups, this calls for a broad range of skills, well-coordinated team management, and the capability to work continuously until the job is done.
For decades, Progent has offered professional IT services for companies in Toledo and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise gives Progent the skills to rapidly ascertain critical systems and organize the remaining pieces of your Information Technology system following a crypto-ransomware penetration and assemble them into an operational system.
Progent's recovery team of experts uses powerful project management applications to orchestrate the complicated recovery process. Progent knows the urgency of working rapidly and in concert with a customerís management and IT staff to prioritize tasks and to get critical applications back online as fast as possible.
Case Study: A Successful Ransomware Virus Restoration
A small business escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored hackers, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little or no room for operational disruption and is one of the most lucrative incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.
"I canít say enough about the help Progent provided us during the most fearful period of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts afforded us. That you were able to get our e-mail and key applications back quicker than 1 week was beyond my wildest dreams. Every single staff member I spoke to or messaged at Progent was amazingly focused on getting our company operational and was working day and night to bail us out."
Progent worked hand in hand the customer to rapidly assess and assign priority to the mission critical services that had to be restored in order to continue business operations:
To begin, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and cleaning up infected systems. Progent then started the work of bringing back online Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange email will not function without AD, and the businessesí financials and MRP applications leveraged Microsoft SQL Server, which needs Active Directory services for authentication to the database.
- Microsoft Active Directory
- Microsoft Exchange Server
- MRP System
In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and storage recovery on needed servers. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to collect intact OST files (Outlook Offline Data Files) on various PCs in order to recover mail messages. A not too old offline backup of the client's financials/MRP systems made them able to restore these required services back on-line. Although a lot of work still had to be done to recover totally from the Ryuk event, essential systems were recovered rapidly:
"For the most part, the production manufacturing operation showed little impact and we made all customer shipments."
During the next month important milestones in the restoration project were achieved in close collaboration between Progent engineers and the client:
- Internal web applications were brought back up with no loss of data.
- The MailStore Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% functional.
- A new Palo Alto 850 firewall was set up.
- Most of the desktops and laptops were fully operational.
"A huge amount of what happened those first few days is nearly entirely a haze for me, but I will not soon forget the countless hours each and every one of you accomplished to help get our business back. Iíve utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This event was a stunning achievement."
A potential business-killing catastrophe was evaded with dedicated experts, a wide array of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus penetration described here should have been blocked with advanced cyber security technology and security best practices, staff education, and well designed incident response procedures for information backup and applying software patches, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get some sleep after we got through the most critical parts. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Toledo a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include next-generation AI technology to uncover zero-day strains of crypto-ransomware that can escape detection by legacy signature-based security products.
For 24/7/365 Toledo Crypto-Ransomware Cleanup Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the complete threat lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent's consultants can also assist your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost and fully managed service for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates and monitors your backup activities and allows rapid recovery of critical data, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced expertise to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can assist you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to provide centralized control and world-class protection for your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, track, enhance and debug their networking appliances like routers and switches, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network operating at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your assigned Progent consultant so that all looming problems can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.