Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional as yet unnamed malware, not only encrypt on-line files but also infiltrate most accessible system backup. Information synched to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, this can make any recovery hopeless and effectively sets the entire system back to square one.
Recovering applications and information following a ransomware attack becomes a sprint against the clock as the targeted organization tries its best to stop the spread and clear the ransomware and to restore business-critical activity. Since crypto-ransomware needs time to move laterally, assaults are often sprung on weekends and holidays, when penetrations are likely to take more time to recognize. This multiplies the difficulty of promptly marshalling and coordinating a capable mitigation team.
Progent makes available a range of services for protecting organizations from ransomware attacks. These include team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with AI technology to automatically identify and suppress day-zero threats. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the talent and perseverance to restore a breached environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the keys to decipher all your data. Kaspersky estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the mission-critical parts of your IT environment. Absent the availability of complete information backups, this calls for a broad range of skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is done.
For twenty years, Progent has provided certified expert Information Technology services for businesses in Toledo and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience gives Progent the capability to quickly determine necessary systems and organize the surviving components of your network environment after a ransomware penetration and rebuild them into an operational network.
Progent's recovery team of experts deploys powerful project management systems to coordinate the complex restoration process. Progent appreciates the importance of working quickly and in concert with a customerís management and IT staff to assign priority to tasks and to put critical applications back on line as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Response
A customer engaged Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored criminal gangs, suspected of adopting strategies leaked from the U.S. NSA organization. Ryuk goes after specific companies with little room for disruption and is one of the most profitable iterations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area and has around 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.
"I canít thank you enough in regards to the support Progent provided us during the most stressful period of (our) companyís life. We may have had to pay the criminal gangs except for the confidence the Progent team afforded us. That you were able to get our messaging and critical servers back into operation in less than 1 week was amazing. Every single expert I talked with or communicated with at Progent was urgently focused on getting my company operational and was working breakneck pace to bail us out."
Progent worked with the customer to quickly get our arms around and assign priority to the key applications that had to be recovered to make it possible to continue departmental functions:
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then started the steps of restoring Microsoft AD, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí MRP applications leveraged SQL Server, which needs Active Directory for access to the data.
- Active Directory (AD)
- Electronic Messaging
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then helped perform setup and hard drive recovery on the most important applications. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on user workstations in order to recover mail messages. A not too old offline backup of the client's manufacturing software made it possible to restore these vital services back available to users. Although major work remained to recover completely from the Ryuk damage, the most important systems were restored quickly:
"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer sales."
Throughout the following couple of weeks critical milestones in the restoration process were made through tight collaboration between Progent engineers and the client:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Exchange Server exceeding four million archived emails was spun up and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were fully recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Nearly all of the user desktops and notebooks were fully operational.
"A lot of what was accomplished that first week is nearly entirely a fog for me, but our team will not forget the care all of your team accomplished to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This event was a testament to your capabilities."
A probable enterprise-killing disaster was evaded by top-tier professionals, a broad spectrum of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware virus attack described here could have been identified and stopped with current security technology and recognized best practices, team training, and well thought out incident response procedures for information backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get some sleep after we made it over the initial fire. All of you did an amazing effort, and if any of your team is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Toledo a range of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence technology to uncover new strains of ransomware that can evade traditional signature-based anti-virus solutions.
For Toledo 24x7 Ransomware Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus products. ProSight ASM protects local and cloud resources and provides a single platform to automate the entire threat progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also help you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup processes and allows fast recovery of critical data, apps and VMs that have become unavailable or damaged due to component breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to deliver web-based management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to diagram, track, optimize and debug their networking appliances like routers and switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating complex management processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating devices that need critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT personnel and your assigned Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can save up to 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.