Ransomware : Your Feared IT Disaster
Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus daily unnamed malware, not only do encryption of online files but also infiltrate many configured system backups. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly designed system, this can render automatic recovery useless and effectively knocks the datacenter back to zero.
Recovering applications and data following a ransomware attack becomes a sprint against time as the victim tries its best to contain and cleanup the ransomware and to resume mission-critical operations. Because ransomware requires time to move laterally, assaults are frequently sprung at night, when attacks typically take longer to uncover. This multiplies the difficulty of promptly mobilizing and organizing an experienced mitigation team.
Progent makes available an assortment of services for protecting businesses from ransomware attacks. These include team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security appliances with artificial intelligence technology to rapidly discover and quarantine new cyber threats. Progent in addition provides the services of expert crypto-ransomware recovery consultants with the skills and commitment to re-deploy a breached system as urgently as possible.
Progent's Ransomware Restoration Help
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the needed keys to unencrypt any of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the vital components of your IT environment. Absent access to full information backups, this requires a broad range of skills, well-coordinated team management, and the ability to work continuously until the task is completed.
For decades, Progent has provided certified expert IT services for companies in Houston and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of expertise gives Progent the capability to quickly understand critical systems and organize the remaining pieces of your IT environment after a ransomware attack and assemble them into a functioning network.
Progent's ransomware team utilizes top notch project management applications to orchestrate the complex restoration process. Progent appreciates the urgency of acting swiftly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to get key services back on line as soon as possible.
Customer Story: A Successful Ransomware Incident Restoration
A customer contacted Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk goes after specific companies with limited room for operational disruption and is one of the most lucrative instances of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot thank you enough about the help Progent gave us during the most critical period of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent team gave us. The fact that you could get our messaging and essential applications back online quicker than a week was earth shattering. Every single person I talked with or e-mailed at Progent was hell bent on getting us operational and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly identify and assign priority to the most important systems that had to be recovered to make it possible to continue departmental functions:
To get going, Progent followed ransomware event response best practices by halting lateral movement and cleaning systems of viruses. Progent then started the process of recovering Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the customerís financials and MRP system utilized SQL Server, which requires Windows AD for security authorization to the information.
- Microsoft Active Directory
In less than two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then performed reinstallations and storage recovery of mission critical systems. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on team PCs and laptops in order to recover mail messages. A recent off-line backup of the businesses accounting/MRP software made it possible to recover these essential services back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk damage, the most important services were restored rapidly:
"For the most part, the production line operation did not miss a beat and we produced all customer sales."
Over the next couple of weeks critical milestones in the recovery project were completed through close collaboration between Progent consultants and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were completely restored.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the desktop computers were being used by staff.
"So much of what went on that first week is nearly entirely a fog for me, but I will not soon forget the commitment each of you put in to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was the most impressive ever."
A potential company-ending catastrophe was avoided by hard-working experts, a wide spectrum of subject matter expertise, and close teamwork. Although in post mortem the ransomware virus penetration described here would have been identified and disabled with modern cyber security technology solutions and security best practices, user and IT administrator education, and well thought out incident response procedures for data protection and proper patching controls, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for making it so I could get rested after we got past the first week. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Houston a portfolio of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day variants of ransomware that can escape detection by legacy signature-based security solutions.
For 24-Hour Houston CryptoLocker Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to manage the complete threat lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also assist your company to set up and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates and monitors your backup processes and allows rapid recovery of vital files, apps and virtual machines that have become unavailable or damaged due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical data. Read more about ProSight DPS Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security vendors to provide centralized management and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, monitor, reconfigure and debug their connectivity hardware such as switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, locating appliances that require important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT staff and your assigned Progent consultant so that any potential problems can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can save up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.