Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyberplague that presents an existential danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with frequent as yet unnamed viruses, not only do encryption of on-line information but also infiltrate most accessible system backup. Data synched to cloud environments can also be rendered useless. In a poorly architected system, it can make automated restoration hopeless and effectively knocks the datacenter back to zero.
Retrieving programs and information after a ransomware attack becomes a sprint against the clock as the victim tries its best to contain and remove the virus and to resume enterprise-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are frequently sprung on weekends, when successful penetrations tend to take more time to recognize. This compounds the difficulty of rapidly mobilizing and coordinating a capable response team.
Progent provides an assortment of solutions for protecting organizations from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with machine learning technology to automatically discover and quarantine new cyber attacks. Progent also offers the assistance of veteran ransomware recovery consultants with the talent and commitment to re-deploy a compromised network as rapidly as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the essential components of your IT environment. Without the availability of essential information backups, this requires a broad range of IT skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is complete.
For twenty years, Progent has provided certified expert IT services for businesses in São Paulo and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience affords Progent the skills to efficiently ascertain important systems and integrate the remaining parts of your IT system following a ransomware attack and configure them into a functioning system.
Progent's recovery group uses top notch project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of working swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to get critical services back on line as soon as humanly possible.
Client Story: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their company was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, possibly using techniques exposed from the United States National Security Agency. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most lucrative instances of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with about 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom (more than $200K) and hoping for the best, but ultimately engaged Progent.
"I cannot thank you enough in regards to the expertise Progent provided us during the most stressful period of (our) businesses existence. We most likely would have paid the cybercriminals if not for the confidence the Progent group provided us. The fact that you could get our e-mail and key servers back online sooner than a week was something I thought impossible. Every single expert I got help from or communicated with at Progent was absolutely committed on getting us restored and was working breakneck pace to bail us out."
Progent worked together with the customer to rapidly get our arms around and prioritize the key applications that had to be addressed to make it possible to restart departmental operations:
To start, Progent adhered to Anti-virus penetration response industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the steps of rebuilding Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange email will not operate without Active Directory, and the customer’s financials and MRP applications used SQL Server, which requires Active Directory services for security authorization to the information.
- Windows Active Directory
- Exchange Server
Within 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of mission critical servers. All Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Offline Folder Files) on user desktop computers and laptops in order to recover email information. A not too old offline backup of the client's accounting/MRP software made them able to restore these essential services back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk virus, the most important services were restored rapidly:
"For the most part, the production manufacturing operation survived unscathed and we did not miss any customer shipments."
During the next couple of weeks critical milestones in the recovery project were completed through tight cooperation between Progent engineers and the customer:
- Internal web applications were restored with no loss of data.
- The MailStore Server with over four million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were completely recovered.
- A new Palo Alto Networks 850 firewall was installed.
- Ninety percent of the user PCs were being used by staff.
"Much of what occurred in the initial days is mostly a blur for me, but my management will not soon forget the commitment all of the team put in to give us our business back. I’ve entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."
A possible business extinction catastrophe was avoided with results-oriented experts, a wide spectrum of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware incident detailed here would have been prevented with up-to-date cyber security technology and best practices, user and IT administrator education, and well designed incident response procedures for information protection and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, removal, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we got over the initial fire. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in São Paulo a portfolio of remote monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to detect zero-day strains of crypto-ransomware that can evade legacy signature-based anti-virus products.
For 24-Hour São Paulo Ransomware Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to automate the complete threat lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a single control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates and monitors your backup processes and allows fast recovery of critical files, apps and virtual machines that have become unavailable or corrupted due to component failures, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your business-critical information. Learn more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide centralized management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progent’s ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming management activities, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating devices that require important updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progent’s server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to help keep your network running efficiently by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT personnel and your Progent engineering consultant so all looming issues can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you’re planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Read more about ProSight IT Asset Management service.