Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become an escalating cyberplague that represents an existential danger for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause destruction. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent unnamed viruses, not only encrypt online data but also infiltrate any accessible system protection mechanisms. Files synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, this can make automatic recovery useless and effectively sets the entire system back to square one.
Restoring programs and data following a ransomware intrusion becomes a race against the clock as the victim fights to contain and clear the ransomware and to restore business-critical activity. Since ransomware requires time to spread, attacks are frequently launched at night, when penetrations in many cases take more time to discover. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent offers an assortment of solutions for securing enterprises from crypto-ransomware attacks. These include team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security solutions with machine learning capabilities from SentinelOne to identify and disable day-zero cyber attacks automatically. Progent in addition can provide the assistance of experienced crypto-ransomware recovery consultants with the talent and perseverance to restore a breached system as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that criminal gangs will respond with the keys to unencrypt all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the vital elements of your Information Technology environment. Absent access to full information backups, this requires a wide complement of skills, professional project management, and the willingness to work 24x7 until the job is done.
For decades, Progent has made available professional IT services for companies in Recife and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably identify important systems and integrate the surviving components of your network system following a ransomware attack and assemble them into an operational system.
Progent's ransomware group uses powerful project management applications to orchestrate the complex restoration process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put key applications back on-line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A customer escalated to Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, suspected of using approaches leaked from America's NSA organization. Ryuk targets specific organizations with little ability to sustain operational disruption and is one of the most profitable examples of crypto-ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end brought in Progent.
"I cannot tell you enough in regards to the care Progent provided us throughout the most stressful time of (our) company's life. We would have paid the criminal gangs except for the confidence the Progent experts afforded us. That you could get our e-mail and important applications back online quicker than one week was beyond my wildest dreams. Each staff member I spoke to or e-mailed at Progent was absolutely committed on getting my company operational and was working all day and night on our behalf."
Progent worked hand in hand the customer to quickly understand and prioritize the mission critical services that needed to be restored to make it possible to restart company functions:
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the process of rebuilding Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businesses' MRP applications utilized Microsoft SQL Server, which requires Windows AD for access to the data.
- Microsoft Active Directory
- Microsoft Exchange Server
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and storage recovery on needed systems. All Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on user workstations to recover mail messages. A not too old offline backup of the customer's manufacturing systems made them able to restore these required services back servicing users. Although major work needed to be completed to recover totally from the Ryuk damage, the most important systems were returned to operations quickly:
"For the most part, the assembly line operation was never shut down and we delivered all customer orders."
Over the next couple of weeks critical milestones in the recovery project were achieved in close collaboration between Progent engineers and the client:
- In-house web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the user desktops and notebooks were being used by staff.
"Much of what went on during the initial response is nearly entirely a blur for me, but I will not soon forget the dedication each and every one of you accomplished to help get our company back. I have utilized Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was a Herculean accomplishment."
A probable business disaster was averted with dedicated experts, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware attack detailed here would have been identified and stopped with up-to-date security solutions and security best practices, team training, and appropriate incident response procedures for data backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I'm grateful for making it so I could get some sleep after we made it over the initial fire. Everyone did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Recife a range of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern AI capability to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based security products.
For Recife 24x7 Crypto-Ransomware Removal Consulting, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the complete malware attack progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you prove compliance with legal and industry data security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
Progent has worked with leading backup/restore software companies to produce ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and track your backup processes and allow transparent backup and rapid restoration of vital files, apps, images, plus virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, user error, malicious employees, or software bugs. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are best suited for your network.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to deliver centralized control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a first line of defense and keeps most threats from reaching your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, enhance and troubleshoot their connectivity appliances like switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that require important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT staff and your Progent consultant so that all potential issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hosting solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can eliminate up to 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.
- Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior analysis tools to guard endpoints as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which easily escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to address the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.
- Outsourced/Co-managed Service Center: Help Desk Managed Services
Progent's Support Desk services permit your IT team to outsource Call Center services to Progent or split responsibilities for Help Desk services seamlessly between your internal network support staff and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your corporate network support team. User access to the Help Desk, provision of technical assistance, problem escalation, trouble ticket creation and updates, efficiency measurement, and management of the service database are consistent regardless of whether issues are resolved by your internal IT support resources, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Call Center services.
- Patch Management: Software/Firmware Update Management Services
Progent's support services for software and firmware patch management provide organizations of all sizes a flexible and affordable alternative for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving IT network. Besides maximizing the security and reliability of your computer network, Progent's patch management services free up time for your IT staff to concentrate on more strategic initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.
- ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
Progent's Duo MFA services utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication. Duo supports single-tap identity verification with Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and enter your password you are requested to confirm your identity via a device that only you possess and that is accessed using a different network channel. A wide selection of out-of-band devices can be used as this added form of ID validation including a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate several validation devices. For more information about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.