Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses vulnerable to an attack. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus additional as yet unnamed viruses, not only do encryption of on-line files but also infect any accessible system restores and backups. Data replicated to cloud environments can also be encrypted. In a vulnerable environment, it can make automatic recovery hopeless and basically sets the network back to zero.
Getting back on-line applications and information after a ransomware attack becomes a race against time as the victim struggles to contain and clear the crypto-ransomware and to resume mission-critical operations. Because crypto-ransomware requires time to replicate, assaults are usually sprung during nights and weekends, when successful attacks tend to take longer to discover. This compounds the difficulty of rapidly mobilizing and organizing an experienced mitigation team.
Progent makes available a variety of help services for protecting organizations from crypto-ransomware events. Among these are staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with machine learning capabilities to intelligently detect and suppress day-zero threats. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the skills and commitment to restore a breached environment as soon as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the keys to decipher all your data. Kaspersky estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the vital components of your IT environment. Absent the availability of full data backups, this calls for a broad range of skills, top notch team management, and the ability to work non-stop until the job is finished.
For two decades, Progent has provided certified expert Information Technology services for companies in Montgomery and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to knowledgably determine necessary systems and re-organize the surviving parts of your computer network system after a ransomware attack and assemble them into a functioning network.
Progent's ransomware group deploys state-of-the-art project management applications to coordinate the complex restoration process. Progent knows the urgency of working swiftly and together with a client's management and Information Technology staff to assign priority to tasks and to put essential services back on line as fast as humanly possible.
Case Study: A Successful Ransomware Intrusion Recovery
A client contacted Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state cybercriminals, possibly adopting techniques exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware malware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has around 500 workers. The Ryuk event had disabled all company operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (exceeding $200,000) and praying for the best, but in the end engaged Progent.
"I canít say enough in regards to the help Progent provided us throughout the most critical period of (our) companyís survival. We may have had to pay the cybercriminals except for the confidence the Progent team provided us. That you were able to get our e-mail system and essential applications back into operation in less than a week was beyond my wildest dreams. Every single expert I spoke to or communicated with at Progent was hell bent on getting us restored and was working day and night on our behalf."
Progent worked hand in hand the client to rapidly assess and assign priority to the key services that had to be restored to make it possible to restart company operations:
To begin, Progent followed Anti-virus incident mitigation best practices by halting the spread and performing virus removal steps. Progent then started the steps of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the businessesí financials and MRP system leveraged SQL Server, which requires Windows AD for authentication to the information.
- Windows Active Directory
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then helped perform rebuilding and storage recovery on key applications. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate intact OST data files (Outlook Offline Data Files) on various desktop computers and laptops in order to recover mail information. A recent off-line backup of the client's financials/MRP software made it possible to restore these essential applications back online. Although major work needed to be completed to recover completely from the Ryuk event, the most important services were restored quickly:
"For the most part, the assembly line operation never missed a beat and we delivered all customer shipments."
Throughout the next few weeks key milestones in the recovery process were completed through close collaboration between Progent consultants and the client:
- In-house web applications were returned to operation without losing any data.
- The MailStore Server containing more than 4 million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent restored.
- A new Palo Alto Networks 850 firewall was brought on-line.
- 90% of the user desktops and notebooks were functioning as before the incident.
"A lot of what was accomplished during the initial response is nearly entirely a haze for me, but we will not soon forget the care each and every one of your team put in to give us our business back. Iíve trusted Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This situation was the most impressive ever."
A probable business extinction disaster was evaded with results-oriented professionals, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware virus incident detailed here would have been blocked with advanced security systems and best practices, staff education, and appropriate security procedures for information protection and proper patching controls, the fact remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thanks very much for making it so I could get some sleep after we got past the initial fire. All of you did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Montgomery a portfolio of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include next-generation machine learning technology to uncover new strains of ransomware that can escape detection by traditional signature-based anti-virus products.
For 24/7 Montgomery CryptoLocker Removal Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to manage the complete malware attack progression including blocking, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, device control, and web filtering through leading-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your company's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also help you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and enables fast restoration of critical files, applications and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FINRA, and PCI and, when needed, can assist you to restore your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security vendors to deliver centralized management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding appliances that need critical updates, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT staff and your Progent engineering consultant so that any potential issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.