Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that represents an existential threat for businesses vulnerable to an assault. Versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with daily unnamed newcomers, not only encrypt online data but also infect any configured system protection. Data synchronized to the cloud can also be ransomed. In a poorly designed system, this can render automatic recovery hopeless and effectively knocks the datacenter back to zero.
Recovering services and information after a ransomware event becomes a race against the clock as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to resume business-critical operations. Since ransomware requires time to spread, penetrations are usually launched on weekends and holidays, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of promptly marshalling and organizing an experienced mitigation team.
Progent offers an assortment of support services for securing enterprises from ransomware events. These include user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with AI capabilities to rapidly discover and disable new cyber attacks. Progent also offers the assistance of veteran ransomware recovery professionals with the skills and perseverance to re-deploy a breached system as soon as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt any of your data. Kaspersky estimated that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the essential components of your Information Technology environment. Absent the availability of essential information backups, this requires a wide complement of skill sets, well-coordinated team management, and the capability to work 24x7 until the recovery project is done.
For twenty years, Progent has provided professional Information Technology services for businesses in Jersey City and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience provides Progent the skills to quickly identify important systems and organize the remaining components of your network system after a ransomware penetration and assemble them into a functioning system.
Progent's recovery group deploys powerful project management tools to coordinate the sophisticated recovery process. Progent understands the urgency of working swiftly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to get critical applications back on-line as soon as humanly possible.
Business Case Study: A Successful Ransomware Penetration Response
A client engaged Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state criminal gangs, possibly using strategies leaked from the United States National Security Agency. Ryuk attacks specific businesses with little room for operational disruption and is one of the most profitable incarnations of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago with around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end reached out to Progent.
"I cannot say enough about the help Progent gave us during the most fearful period of (our) companyís existence. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent team provided us. That you were able to get our e-mail system and essential applications back online sooner than seven days was incredible. Every single staff member I worked with or texted at Progent was amazingly focused on getting our company operational and was working all day and night to bail us out."
Progent worked hand in hand the client to rapidly understand and assign priority to the most important areas that had to be restored in order to continue departmental functions:
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by isolating and removing active viruses. Progent then initiated the process of bringing back online Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's MRP software leveraged Microsoft SQL Server, which depends on Active Directory services for authentication to the data.
- Active Directory (AD)
- Exchange Server
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery of mission critical systems. All Exchange ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Outlook Email Off-Line Data Files) on user workstations and laptops to recover email information. A recent offline backup of the client's financials/ERP software made them able to restore these essential applications back on-line. Although significant work was left to recover completely from the Ryuk event, the most important systems were restored rapidly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer deliverables."
During the next few weeks critical milestones in the restoration process were achieved through close cooperation between Progent consultants and the customer:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Server exceeding four million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control functions were fully recovered.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the user workstations were being used by staff.
"So much of what went on during the initial response is nearly entirely a fog for me, but we will not forget the commitment all of you put in to give us our business back. Iíve been working with Progent for at least 10 years, maybe more, and every time Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
A probable business disaster was averted due to top-tier experts, a broad array of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been shut down with modern cyber security systems and best practices, team education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), Iím grateful for making it so I could get rested after we got over the first week. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Jersey City a range of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services include modern machine learning capability to uncover zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
For Jersey City 24x7x365 Ransomware Remediation Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to address the entire malware attack progression including protection, infiltration detection, containment, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering through cutting-edge tools incorporated within one agent managed from a unified control. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your organization's unique needs and that helps you prove compliance with legal and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent attention. Progent's consultants can also assist you to install and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of critical data, apps and virtual machines that have become unavailable or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can provide advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can assist you to restore your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to provide web-based control and world-class security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, enhance and debug their networking hardware like routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration information of virtually all devices on your network, monitors performance, and sends notices when issues are discovered. By automating tedious network management activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, locating devices that require important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management staff and your Progent engineering consultant so all potential issues can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.