Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a modern cyber pandemic that presents an existential danger for businesses of all sizes unprepared for an attack. Versions of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict damage. More recent variants of ransomware like Ryuk and Hermes, plus daily as yet unnamed malware, not only encrypt online files but also infiltrate any configured system protection. Files replicated to the cloud can also be corrupted. In a vulnerable environment, this can render automatic recovery useless and basically sets the entire system back to zero.
Getting back on-line programs and data after a ransomware intrusion becomes a sprint against the clock as the targeted business struggles to contain the damage and eradicate the ransomware and to resume enterprise-critical activity. Because ransomware needs time to move laterally, assaults are often launched at night, when penetrations may take longer to discover. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified response team.
Progent offers a variety of services for securing organizations from ransomware events. These include team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with AI capabilities to intelligently discover and quarantine new cyber attacks. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and commitment to re-deploy a compromised network as soon as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed codes to unencrypt all your data. Kaspersky determined that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the essential components of your Information Technology environment. Absent access to essential system backups, this calls for a broad range of IT skills, top notch project management, and the ability to work 24x7 until the task is completed.
For twenty years, Progent has provided certified expert IT services for companies in Vacaville and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently determine critical systems and organize the surviving components of your Information Technology system following a ransomware attack and configure them into a functioning system.
Progent's security team of experts deploys powerful project management systems to coordinate the sophisticated restoration process. Progent appreciates the importance of acting quickly and in concert with a customerís management and IT staff to prioritize tasks and to put essential services back online as fast as possible.
Business Case Study: A Successful Ransomware Penetration Response
A client hired Progent after their company was crashed by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, possibly adopting strategies leaked from the United States NSA organization. Ryuk targets specific organizations with little room for operational disruption and is one of the most lucrative examples of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago with about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end reached out to Progent.
"I canít speak enough about the help Progent gave us during the most stressful period of (our) companyís survival. We may have had to pay the cyber criminals if not for the confidence the Progent group provided us. The fact that you could get our e-mail and production servers back on-line in less than seven days was incredible. Every single staff member I spoke to or e-mailed at Progent was hell bent on getting us operational and was working 24/7 to bail us out."
Progent worked together with the customer to quickly identify and assign priority to the essential services that had to be restored in order to resume business functions:
To begin, Progent adhered to ransomware event mitigation best practices by stopping the spread and removing active viruses. Progent then began the process of restoring Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the client's financials and MRP system utilized Microsoft SQL, which requires Active Directory services for access to the information.
- Windows Active Directory
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed reinstallations and hard drive recovery of needed applications. All Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff workstations and laptops in order to recover mail data. A not too old off-line backup of the businesses accounting software made them able to return these essential programs back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk damage, core systems were restored quickly:
"For the most part, the manufacturing operation showed little impact and we delivered all customer deliverables."
During the next couple of weeks important milestones in the restoration project were achieved through close cooperation between Progent engineers and the client:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Server with over 4 million historical messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were fully recovered.
- A new Palo Alto 850 firewall was deployed.
- Nearly all of the user PCs were operational.
"A lot of what transpired during the initial response is mostly a blur for me, but my management will not forget the urgency each of you put in to help get our company back. I have trusted Progent for the past 10 years, maybe more, and each time Progent has shined and delivered as promised. This situation was a testament to your capabilities."
A potential enterprise-killing disaster was dodged by top-tier experts, a wide array of knowledge, and tight collaboration. Although in retrospect the ransomware attack detailed here could have been disabled with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and properly executed incident response procedures for information protection and applying software patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got through the initial push. Everyone did an incredible job, and if any of your team is in the Chicago area, dinner is on me!"
To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Vacaville a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning capability to detect new strains of crypto-ransomware that are able to escape detection by legacy signature-based security products.
For 24x7 Vacaville Crypto Recovery Consulting, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to automate the entire threat lifecycle including protection, detection, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. For a fixed monthly cost, ProSight DPS automates your backup processes and allows rapid recovery of vital files, applications and VMs that have become lost or damaged due to hardware breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR specialists can deliver advanced expertise to set up ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to provide centralized management and world-class protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper level of analysis for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, monitor, enhance and debug their networking hardware such as routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating complex management activities, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that need critical software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT staff and your Progent consultant so that any looming problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can eliminate as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.