Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware has become an escalating cyberplague that represents an extinction-level threat for organizations poorly prepared for an assault. Versions of crypto-ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict harm. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with more unnamed newcomers, not only do encryption of online data files but also infect many available system backups. Files synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, this can make automatic restore operations impossible and basically knocks the network back to zero.
Recovering programs and information following a crypto-ransomware outage becomes a race against the clock as the victim struggles to contain and cleanup the ransomware and to resume mission-critical activity. Since crypto-ransomware needs time to spread, assaults are often sprung at night, when successful attacks in many cases take longer to uncover. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable response team.
Progent makes available an assortment of services for protecting organizations from ransomware events. These include team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with machine learning capabilities to quickly identify and suppress new cyber threats. Progent in addition can provide the assistance of experienced ransomware recovery consultants with the track record and commitment to rebuild a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
After a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the needed keys to decrypt any of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their data after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Absent the availability of essential system backups, this calls for a wide complement of skill sets, well-coordinated project management, and the capability to work continuously until the job is finished.
For decades, Progent has made available certified expert Information Technology services for businesses in Florianópolis and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably ascertain critical systems and consolidate the surviving pieces of your Information Technology system following a ransomware event and configure them into a functioning network.
Progent's ransomware group has top notch project management systems to orchestrate the sophisticated restoration process. Progent understands the urgency of working swiftly and in concert with a customer’s management and IT resources to assign priority to tasks and to put critical systems back on line as soon as humanly possible.
Business Case Study: A Successful Ransomware Virus Recovery
A customer sought out Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean government sponsored hackers, suspected of using algorithms exposed from the United States National Security Agency. Ryuk attacks specific businesses with little or no room for operational disruption and is one of the most lucrative incarnations of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk event had disabled all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and hoping for good luck, but in the end utilized Progent.
"I cannot thank you enough about the support Progent provided us throughout the most fearful time of (our) businesses life. We most likely would have paid the cybercriminals if not for the confidence the Progent team afforded us. The fact that you were able to get our messaging and important servers back on-line faster than five days was amazing. Every single expert I talked with or texted at Progent was laser focused on getting my company operational and was working day and night to bail us out."
Progent worked with the customer to rapidly get our arms around and prioritize the critical applications that had to be restored to make it possible to resume departmental functions:
To start, Progent adhered to Anti-virus incident response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the process of bringing back online Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the client's MRP applications used SQL Server, which requires Active Directory services for authentication to the database.
- Microsoft Active Directory
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then completed reinstallations and storage recovery on the most important applications. All Exchange schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Folder Files) on user desktop computers to recover email information. A recent offline backup of the customer’s financials/ERP software made them able to restore these vital programs back on-line. Although significant work needed to be completed to recover totally from the Ryuk virus, the most important services were restored rapidly:
"For the most part, the production line operation never missed a beat and we did not miss any customer sales."
Throughout the following couple of weeks key milestones in the recovery process were made in close cooperation between Progent engineers and the client:
- Internal web applications were brought back up with no loss of data.
- The MailStore Server with over 4 million archived messages was brought on-line and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory Control functions were completely operational.
- A new Palo Alto 850 firewall was deployed.
- Ninety percent of the user PCs were back into operation.
"A huge amount of what happened in the initial days is mostly a fog for me, but we will not soon forget the urgency each and every one of you accomplished to give us our business back. I have entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."
A potential business catastrophe was dodged with results-oriented experts, a wide array of IT skills, and close teamwork. Although upon completion of forensics the crypto-ransomware incident detailed here should have been identified and blocked with advanced security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has proven experience in ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), I’m grateful for allowing me to get rested after we got over the first week. Everyone did an fabulous job, and if any of your team is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Florianópolis a variety of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services utilize next-generation AI technology to detect new variants of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.
For Florianópolis 24x7x365 Crypto Cleanup Support Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to address the entire threat progression including protection, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also assist your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of critical data, applications and VMs that have become unavailable or corrupted as a result of hardware failures, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, when necessary, can help you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver web-based management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of analysis for incoming email. For outgoing email, the local security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progent’s ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, monitor, enhance and troubleshoot their networking hardware like routers and switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating complex network management processes, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding appliances that require critical updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent’s server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT management staff and your Progent consultant so that any looming problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you’re making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.