Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for businesses of all sizes vulnerable to an assault. Multiple generations of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause damage. Modern versions of ransomware like Ryuk and Hermes, along with additional unnamed viruses, not only encrypt online files but also infiltrate many accessible system restores and backups. Files synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can render automatic restoration useless and effectively sets the datacenter back to square one.
Recovering applications and information following a ransomware attack becomes a race against time as the victim tries its best to stop the spread and remove the ransomware and to restore enterprise-critical activity. Because ransomware takes time to spread, attacks are often launched on weekends and holidays, when successful penetrations in many cases take more time to detect. This compounds the difficulty of quickly mobilizing and coordinating a capable response team.
Progent offers a variety of solutions for securing enterprises from ransomware attacks. Among these are team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence technology to automatically discover and suppress new cyber threats. Progent also provides the services of experienced crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a breached system as urgently as possible.
Progent's Ransomware Restoration Services
After a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the codes to decipher any of your files. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the essential parts of your IT environment. Without access to full information backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the job is done.
For twenty years, Progent has offered expert Information Technology services for businesses in San Antonio and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise affords Progent the capability to knowledgably identify critical systems and consolidate the remaining pieces of your computer network environment after a ransomware attack and configure them into a functioning system.
Progent's ransomware team of experts uses best of breed project management systems to coordinate the complicated restoration process. Progent knows the urgency of working swiftly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to get critical applications back on-line as soon as possible.
Customer Story: A Successful Ransomware Attack Recovery
A customer escalated to Progent after their network was brought down by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, possibly adopting techniques leaked from the United States NSA organization. Ryuk goes after specific companies with limited room for disruption and is one of the most profitable instances of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I canít tell you enough about the care Progent provided us throughout the most stressful time of (our) companyís existence. We most likely would have paid the criminal gangs if not for the confidence the Progent experts provided us. That you were able to get our e-mail system and important servers back into operation quicker than 1 week was beyond my wildest dreams. Every single person I talked with or communicated with at Progent was absolutely committed on getting my company operational and was working non-stop to bail us out."
Progent worked together with the client to rapidly get our arms around and prioritize the most important applications that had to be restored to make it possible to continue company operations:
To get going, Progent adhered to AV/Malware Processes penetration response best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of bringing back online Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Exchange messaging will not function without AD, and the businessesí accounting and MRP applications utilized Microsoft SQL, which needs Active Directory services for authentication to the information.
- Active Directory
- Exchange Server
Within 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery of essential servers. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Email Off-Line Folder Files) on staff PCs to recover mail data. A recent offline backup of the customerís financials/ERP systems made them able to return these required applications back servicing users. Although major work remained to recover completely from the Ryuk virus, core services were recovered rapidly:
"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."
Throughout the following few weeks key milestones in the restoration project were made through close collaboration between Progent engineers and the customer:
- In-house web applications were restored with no loss of data.
- The MailStore Exchange Server with over four million archived messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100% operational.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the desktop computers were fully operational.
"A lot of what went on those first few days is mostly a fog for me, but I will not soon forget the urgency each and every one of your team accomplished to help get our company back. I have utilized Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This time was a life saver."
A likely business disaster was avoided due to results-oriented professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in retrospect the ransomware incident detailed here could have been blocked with modern security technology solutions and security best practices, user and IT administrator training, and well thought out incident response procedures for backup and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), Iím grateful for letting me get rested after we made it past the initial push. Everyone did an impressive job, and if any of your team is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in San Antonio a range of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to detect new variants of crypto-ransomware that are able to evade legacy signature-based anti-virus solutions.
For San Antonio 24x7 CryptoLocker Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely escape legacy signature-based anti-virus products. ProSight ASM protects local and cloud resources and offers a single platform to address the complete malware attack lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that meets your company's specific requirements and that helps you demonstrate compliance with legal and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent's consultants can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates and monitors your backup activities and enables rapid recovery of vital data, applications and VMs that have become lost or damaged due to component breakdowns, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup specialists can deliver advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to provide web-based control and world-class security for all your email traffic. The powerful structure of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The cloud filter serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that require important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate as much as half of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about ProSight IT Asset Management service.