Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict harm. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as more unnamed malware, not only encrypt on-line data files but also infiltrate many configured system backup. Information replicated to the cloud can also be rendered useless. In a poorly architected data protection solution, it can make automated restoration hopeless and basically knocks the network back to zero.
Getting back online programs and information after a crypto-ransomware attack becomes a race against time as the targeted organization fights to stop the spread and clear the virus and to resume business-critical activity. Since ransomware needs time to spread, assaults are frequently sprung at night, when penetrations typically take more time to discover. This multiplies the difficulty of rapidly marshalling and organizing an experienced response team.
Progent has a variety of solutions for protecting businesses from ransomware attacks. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with machine learning technology to rapidly detect and extinguish new threats. Progent also can provide the services of veteran ransomware recovery professionals with the skills and perseverance to rebuild a compromised system as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the needed keys to unencrypt any or all of your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the critical components of your IT environment. Without the availability of complete data backups, this calls for a wide range of IT skills, top notch team management, and the capability to work continuously until the recovery project is complete.
For decades, Progent has provided expert IT services for businesses in Philadelphia and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise gives Progent the capability to efficiently ascertain critical systems and integrate the remaining pieces of your IT system after a ransomware attack and configure them into a functioning system.
Progent's recovery group utilizes best of breed project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of acting swiftly and in unison with a client's management and Information Technology team members to prioritize tasks and to put critical applications back online as soon as possible.
Customer Story: A Successful Crypto-Ransomware Incident Restoration
A business sought out Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored hackers, suspected of using strategies leaked from the United States NSA organization. Ryuk attacks specific businesses with limited ability to sustain disruption and is among the most lucrative instances of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data backups had been online at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately reached out to Progent.
"I canít say enough in regards to the support Progent gave us during the most critical time of (our) businesses existence. We would have paid the cyber criminals except for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and essential applications back online quicker than a week was amazing. Each expert I spoke to or communicated with at Progent was amazingly focused on getting our system up and was working at all hours on our behalf."
Progent worked together with the customer to rapidly understand and assign priority to the most important systems that needed to be recovered in order to restart business operations:
To get going, Progent followed Anti-virus incident mitigation best practices by stopping the spread and performing virus removal steps. Progent then started the steps of rebuilding Windows Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the customerís MRP applications leveraged SQL Server, which depends on Active Directory services for authentication to the databases.
- Active Directory
- Microsoft Exchange Server
In less than 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then charged ahead with setup and storage recovery of needed systems. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team workstations to recover email data. A recent off-line backup of the client's financials/MRP software made it possible to recover these essential services back on-line. Although significant work needed to be completed to recover fully from the Ryuk damage, core systems were recovered quickly:
"For the most part, the production operation ran fairly normal throughout and we delivered all customer orders."
Over the next few weeks key milestones in the restoration process were achieved in tight cooperation between Progent engineers and the client:
- Self-hosted web applications were restored without losing any information.
- The MailStore Server with over four million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory functions were fully functional.
- A new Palo Alto 850 firewall was deployed.
- Nearly all of the desktops and laptops were operational.
"A lot of what went on during the initial response is nearly entirely a haze for me, but my team will not soon forget the urgency each of your team accomplished to give us our business back. Iíve utilized Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."
A possible business-ending disaster was averted due to hard-working professionals, a broad array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware attack detailed here would have been disabled with up-to-date security technology and best practices, staff education, and properly executed security procedures for data backup and proper patching controls, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thank you for making it so I could get rested after we got over the initial fire. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Philadelphia a portfolio of online monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to detect zero-day strains of crypto-ransomware that can get past legacy signature-based security products.
For 24x7 Philadelphia CryptoLocker Repair Experts, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies packaged within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your organization's specific needs and that allows you demonstrate compliance with legal and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also help you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Recovery Services
Progent has worked with advanced backup technology companies to create ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup operations and allow transparent backup and rapid restoration of vital files/folders, applications, images, and virtual machines. ProSight DPS helps you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed backup services are most appropriate for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to deliver centralized management and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and blocks most threats from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always updated, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that need critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your network operating efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that any looming issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior machine learning tools to guard endpoint devices as well as physical and virtual servers against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a unified platform to automate the complete malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.
- Progent's Outsourced/Shared Service Center: Call Center Managed Services
Progent's Support Desk managed services allow your IT group to offload Support Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house support team and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your corporate IT support resources. End user interaction with the Help Desk, provision of support services, escalation, trouble ticket creation and updates, performance measurement, and management of the support database are consistent regardless of whether incidents are taken care of by your in-house network support resources, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Help Desk services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management offer businesses of any size a flexible and affordable solution for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. Besides maximizing the protection and reliability of your computer environment, Progent's patch management services allow your IT staff to concentrate on more strategic initiatives and tasks that deliver maximum business value from your information network. Read more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. With 2FA, whenever you log into a secured application and enter your password you are asked to verify your identity on a device that only you possess and that uses a separate network channel. A wide selection of out-of-band devices can be used as this added form of ID validation such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. For details about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services.