Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses unprepared for an attack. Different iterations of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict havoc. Newer versions of crypto-ransomware such as Ryuk and Hermes, as well as more unnamed viruses, not only encrypt online information but also infiltrate any configured system protection mechanisms. Information synched to cloud environments can also be ransomed. In a vulnerable environment, this can render automated restoration useless and effectively sets the entire system back to zero.
Getting back on-line programs and data after a ransomware attack becomes a race against time as the targeted business fights to stop the spread and eradicate the ransomware and to resume mission-critical operations. Due to the fact that crypto-ransomware requires time to spread, assaults are frequently launched during weekends and nights, when penetrations in many cases take more time to detect. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable response team.
Progent provides an assortment of support services for protecting enterprises from ransomware attacks. Among these are user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security appliances with machine learning technology to intelligently discover and extinguish day-zero cyber threats. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery engineers with the talent and commitment to restore a compromised network as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the mission-critical elements of your IT environment. Absent the availability of complete information backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is completed.
For twenty years, Progent has made available certified expert Information Technology services for businesses in Buffalo and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience gives Progent the ability to rapidly understand important systems and consolidate the remaining pieces of your computer network system after a ransomware penetration and configure them into an operational system.
Progent's security group utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting rapidly and in concert with a customerís management and IT team members to prioritize tasks and to put essential services back on line as soon as possible.
Case Study: A Successful Ransomware Virus Restoration
A customer hired Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, suspected of adopting approaches exposed from Americaís National Security Agency. Ryuk seeks specific organizations with limited room for operational disruption and is one of the most lucrative incarnations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot tell you enough in regards to the care Progent gave us during the most stressful period of (our) companyís existence. We most likely would have paid the criminal gangs if it wasnít for the confidence the Progent group provided us. That you were able to get our messaging and key servers back into operation sooner than one week was earth shattering. Every single person I spoke to or texted at Progent was amazingly focused on getting our system up and was working 24/7 on our behalf."
Progent worked with the client to rapidly assess and prioritize the key areas that had to be addressed to make it possible to continue business functions:
To begin, Progent followed AV/Malware Processes penetration mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then started the process of restoring Microsoft AD, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the customerís accounting and MRP system leveraged SQL Server, which depends on Windows AD for security authorization to the database.
- Active Directory
- Exchange Server
In less than 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery of key applications. All Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user PCs and laptops to recover email data. A recent offline backup of the client's accounting systems made them able to return these vital applications back available to users. Although major work still had to be done to recover fully from the Ryuk damage, essential services were returned to operations rapidly:
"For the most part, the production operation survived unscathed and we delivered all customer orders."
Over the next couple of weeks critical milestones in the recovery project were made in close collaboration between Progent team members and the customer:
- Internal web applications were brought back up with no loss of information.
- The MailStore Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 security appliance was installed.
- Most of the user workstations were fully operational.
"A lot of what went on in the initial days is nearly entirely a haze for me, but our team will not soon forget the care each of your team put in to give us our business back. Iíve trusted Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered as promised. This situation was a life saver."
A possible company-ending disaster was avoided by hard-working experts, a broad range of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware penetration detailed here could have been prevented with advanced cyber security technology solutions and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for data backup and proper patching controls, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for letting me get rested after we made it through the initial fire. Everyone did an fabulous job, and if any of your team is in the Chicago area, dinner is my treat!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Buffalo a range of remote monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include modern machine learning technology to uncover zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus products.
For 24/7/365 Buffalo Crypto-Ransomware Repair Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a single platform to address the entire threat lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and mid-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. Available at a low monthly price, ProSight DPS automates your backup activities and enables fast recovery of critical data, apps and VMs that have become unavailable or damaged as a result of hardware failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, when needed, can assist you to recover your critical data. Read more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security companies to provide centralized management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a further layer of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their connectivity appliances such as routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, finding devices that need critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network running efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT staff and your assigned Progent consultant so that any potential issues can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can save as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.