Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with additional as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate any available system restores and backups. Information replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can render automated restoration impossible and basically knocks the entire system back to zero.
Restoring applications and information following a ransomware intrusion becomes a race against the clock as the targeted business tries its best to stop lateral movement and clear the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to replicate, penetrations are frequently launched at night, when penetrations typically take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.
Progent offers a range of services for securing organizations from ransomware attacks. These include team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning capabilities to quickly discover and quarantine new threats. Progent in addition offers the services of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a compromised network as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the codes to unencrypt all your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the vital parts of your Information Technology environment. Without access to full data backups, this calls for a wide complement of IT skills, top notch team management, and the capability to work continuously until the task is finished.
For twenty years, Progent has made available expert Information Technology services for businesses in Philadelphia and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise provides Progent the capability to knowledgably identify necessary systems and re-organize the remaining components of your network system following a ransomware attack and configure them into a functioning system.
Progent's security group utilizes best of breed project management tools to orchestrate the sophisticated recovery process. Progent knows the importance of working swiftly and in concert with a customerís management and IT staff to prioritize tasks and to put critical services back on line as fast as possible.
Business Case Study: A Successful Ransomware Intrusion Recovery
A customer hired Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state hackers, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with little room for disruption and is among the most lucrative versions of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago and has about 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom (exceeding $200K) and praying for the best, but in the end utilized Progent.
"I canít speak enough about the expertise Progent gave us during the most fearful time of (our) businesses life. We had little choice but to pay the criminal gangs if not for the confidence the Progent experts gave us. That you were able to get our e-mail and important applications back on-line sooner than seven days was beyond my wildest dreams. Every single expert I worked with or e-mailed at Progent was laser focused on getting our company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to quickly identify and assign priority to the key systems that had to be addressed to make it possible to continue business operations:
To begin, Progent adhered to AV/Malware Processes event mitigation best practices by halting the spread and clearing infected systems. Progent then started the steps of recovering Windows Active Directory, the heart of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not function without Windows AD, and the customerís accounting and MRP system used Microsoft SQL, which requires Windows AD for access to the data.
- Microsoft Active Directory
- Microsoft Exchange Server
In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then accomplished setup and storage recovery of needed servers. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Data Files) on user desktop computers to recover mail messages. A not too old off-line backup of the customerís accounting/MRP software made it possible to return these vital programs back online. Although a large amount of work remained to recover totally from the Ryuk damage, core services were recovered quickly:
"For the most part, the assembly line operation was never shut down and we made all customer sales."
Throughout the following month critical milestones in the recovery process were made in tight cooperation between Progent team members and the customer:
- In-house web applications were brought back up with no loss of data.
- The MailStore Exchange Server containing more than four million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory modules were 100 percent restored.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Most of the user workstations were being used by staff.
"A lot of what occurred in the early hours is nearly entirely a haze for me, but our team will not forget the urgency all of the team put in to give us our company back. Iíve been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This time was a life saver."
A probable business-ending catastrophe was averted with hard-working experts, a broad array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here would have been stopped with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed incident response procedures for backup and applying software patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for letting me get rested after we got past the most critical parts. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is on me!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Philadelphia a variety of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect new strains of crypto-ransomware that can escape detection by legacy signature-based anti-virus solutions.
For Philadelphia 24-Hour Crypto Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information security standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable and fully managed service for secure backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of critical data, apps and VMs that have become unavailable or damaged due to hardware failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can provide world-class expertise to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver centralized control and comprehensive protection for your email traffic. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their networking appliances such as routers, firewalls, and access points plus servers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network maps are always current, copies and displays the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that require important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so that any looming problems can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to a different hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.