Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses of all sizes vulnerable to an attack. Different versions of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause havoc. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as additional unnamed malware, not only do encryption of on-line data but also infect any configured system protection mechanisms. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, it can render automated restore operations hopeless and basically knocks the entire system back to square one.
Getting back online programs and data following a ransomware attack becomes a sprint against time as the targeted business fights to stop lateral movement and cleanup the crypto-ransomware and to resume mission-critical activity. Since ransomware needs time to move laterally, penetrations are often launched during weekends and nights, when penetrations may take longer to discover. This compounds the difficulty of promptly mobilizing and coordinating a qualified mitigation team.
Progent makes available a range of services for protecting businesses from ransomware penetrations. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with artificial intelligence technology to automatically identify and extinguish zero-day cyber threats. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the talent and perseverance to rebuild a breached system as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the codes to unencrypt any of your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to setup from scratch the essential elements of your Information Technology environment. Without the availability of complete information backups, this calls for a broad complement of IT skills, well-coordinated team management, and the ability to work non-stop until the recovery project is completed.
For twenty years, Progent has made available expert Information Technology services for companies in Buffalo and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise provides Progent the ability to efficiently identify critical systems and organize the surviving parts of your IT environment after a ransomware event and rebuild them into an operational network.
Progent's ransomware team of experts utilizes top notch project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of acting swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put key systems back on-line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Incident Response
A small business escalated to Progent after their company was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state cybercriminals, possibly using strategies exposed from the United States National Security Agency. Ryuk goes after specific organizations with limited tolerance for operational disruption and is among the most profitable examples of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with about 500 employees. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's data protection had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and praying for good luck, but in the end made the decision to use Progent.
"I cannot thank you enough about the help Progent gave us throughout the most critical time of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you could get our e-mail system and key servers back on-line quicker than one week was incredible. Each person I worked with or e-mailed at Progent was amazingly focused on getting us back on-line and was working non-stop on our behalf."
Progent worked together with the client to rapidly identify and prioritize the most important applications that needed to be restored in order to resume departmental functions:
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the task of recovering Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not work without Active Directory, and the businessesí financials and MRP system utilized Microsoft SQL, which depends on Windows AD for authentication to the data.
- Active Directory
- Microsoft Exchange Email
In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then performed setup and storage recovery of critical systems. All Microsoft Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Data Files) on staff workstations in order to recover email information. A not too old off-line backup of the client's financials/MRP systems made it possible to restore these vital services back servicing users. Although a large amount of work was left to recover completely from the Ryuk damage, critical systems were restored rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer orders."
Throughout the following month critical milestones in the restoration project were completed in close collaboration between Progent engineers and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were 100% recovered.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Ninety percent of the desktop computers were operational.
"Much of what occurred in the early hours is mostly a blur for me, but I will not soon forget the urgency all of the team accomplished to help get our company back. Iíve been working with Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
A likely business-ending disaster was averted with dedicated professionals, a wide spectrum of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware virus incident described here would have been identified and blocked with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, team education, and well thought out security procedures for data backup and applying software patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get some sleep after we got past the initial push. All of you did an fabulous job, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Buffalo a variety of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of ransomware that are able to escape detection by traditional signature-based security solutions.
For 24-Hour Buffalo Crypto-Ransomware Cleanup Consulting, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to manage the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with government and industry information protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of vital data, apps and VMs that have become unavailable or corrupted as a result of component failures, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced support to configure ProSight DPS to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can assist you to restore your business-critical information. Find out more about ProSight DPS Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security companies to provide web-based management and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of inspection for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, track, enhance and debug their networking appliances such as switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need critical updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate up to half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.