Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that poses an extinction-level danger for organizations poorly prepared for an assault. Different versions of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as daily as yet unnamed malware, not only do encryption of on-line data files but also infect most accessible system protection mechanisms. Files synched to cloud environments can also be encrypted. In a poorly designed system, it can make automatic restoration hopeless and basically knocks the entire system back to zero.
Getting back on-line services and data following a crypto-ransomware outage becomes a sprint against time as the targeted organization struggles to contain and remove the crypto-ransomware and to restore mission-critical operations. Since crypto-ransomware needs time to replicate, attacks are usually sprung on weekends, when successful attacks may take longer to discover. This multiplies the difficulty of quickly assembling and orchestrating a qualified response team.
Progent has a range of support services for protecting businesses from ransomware penetrations. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security solutions with machine learning capabilities to quickly discover and extinguish zero-day threats. Progent in addition provides the services of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a compromised network as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the codes to decrypt any or all of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the mission-critical elements of your IT environment. Without access to essential information backups, this calls for a wide complement of IT skills, professional project management, and the capability to work 24x7 until the task is over.
For decades, Progent has made available certified expert IT services for businesses in Lubbock and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to rapidly determine critical systems and organize the surviving pieces of your Information Technology system following a ransomware attack and configure them into a functioning system.
Progent's recovery group deploys state-of-the-art project management applications to orchestrate the complex restoration process. Progent appreciates the importance of acting quickly and together with a client's management and IT resources to assign priority to tasks and to put critical applications back online as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Recovery
A small business sought out Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, possibly adopting technology exposed from Americaís NSA organization. Ryuk attacks specific companies with little or no room for disruption and is one of the most profitable iterations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago and has around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing processes. Most of the client's system backups had been online at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (exceeding $200K) and praying for the best, but in the end engaged Progent.
"I canít tell you enough about the help Progent gave us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the Hackers if not for the confidence the Progent team provided us. That you were able to get our messaging and essential applications back quicker than 1 week was beyond my wildest dreams. Each expert I worked with or texted at Progent was urgently focused on getting our system up and was working day and night on our behalf."
Progent worked hand in hand the customer to rapidly assess and assign priority to the most important applications that needed to be restored in order to resume departmental functions:
To begin, Progent adhered to Anti-virus incident mitigation best practices by halting the spread and clearing up compromised systems. Progent then started the process of restoring Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the client's MRP system used SQL Server, which needs Active Directory for access to the information.
- Microsoft Active Directory
- Microsoft Exchange Server
- MRP System
In less than 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then initiated rebuilding and storage recovery of key systems. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Offline Data Files) on user workstations and laptops to recover mail messages. A not too old offline backup of the customerís financials/ERP systems made them able to recover these essential applications back online for users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, core services were restored rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer deliverables."
Over the next month important milestones in the recovery process were made through close cooperation between Progent team members and the client:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 firewall was installed.
- Ninety percent of the desktops and laptops were operational.
"Much of what occurred in the initial days is nearly entirely a haze for me, but my management will not soon forget the commitment each and every one of your team put in to help get our business back. I have been working with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was a stunning achievement."
A probable company-ending catastrophe was dodged due to top-tier experts, a broad array of knowledge, and close teamwork. Although upon completion of forensics the ransomware incident detailed here could have been identified and blocked with current cyber security systems and recognized best practices, team education, and well thought out incident response procedures for backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get rested after we made it through the initial fire. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Lubbock a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning technology to uncover new strains of crypto-ransomware that are able to evade legacy signature-based security products.
For 24x7x365 Lubbock Crypto Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to automate the complete threat lifecycle including protection, detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services provide small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables rapid restoration of critical files, apps and VMs that have become unavailable or damaged due to component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced support to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security companies to provide centralized management and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, enhance and debug their connectivity appliances such as switches, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept updated, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating appliances that require critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management staff and your Progent consultant so any potential problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By updating and managing your IT documentation, you can eliminate up to 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Learn more about ProSight IT Asset Management service.