Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for organizations vulnerable to an attack. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with daily as yet unnamed newcomers, not only encrypt on-line critical data but also infiltrate any accessible system backups. Files synched to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, it can make automatic recovery useless and effectively sets the entire system back to zero.
Retrieving programs and information after a ransomware intrusion becomes a race against the clock as the targeted business tries its best to stop lateral movement and cleanup the virus and to resume mission-critical operations. Since ransomware takes time to spread, attacks are often launched on weekends and holidays, when successful penetrations may take more time to notice. This multiplies the difficulty of promptly assembling and organizing a qualified response team.
Progent provides a range of support services for securing organizations from ransomware attacks. These include team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence technology to automatically discover and quarantine zero-day threats. Progent also provides the services of experienced ransomware recovery consultants with the talent and commitment to reconstruct a breached system as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the needed codes to decrypt any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the vital parts of your Information Technology environment. Without the availability of complete data backups, this calls for a broad complement of skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is done.
For two decades, Progent has offered certified expert Information Technology services for companies in San Diego UCSD and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience gives Progent the ability to efficiently understand critical systems and consolidate the remaining parts of your IT system after a ransomware penetration and rebuild them into an operational system.
Progent's security team of experts utilizes top notch project management tools to orchestrate the complicated restoration process. Progent knows the urgency of working quickly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put the most important services back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Restoration
A small business sought out Progent after their network system was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state cybercriminals, possibly using strategies leaked from Americaís NSA organization. Ryuk goes after specific companies with little tolerance for operational disruption and is one of the most profitable iterations of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's backups had been on-line at the start of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot speak enough about the support Progent gave us during the most fearful time of (our) businesses life. We would have paid the criminal gangs if it wasnít for the confidence the Progent group gave us. The fact that you could get our e-mail system and essential servers back on-line in less than five days was amazing. Every single consultant I worked with or texted at Progent was urgently focused on getting us operational and was working breakneck pace to bail us out."
Progent worked with the client to rapidly assess and prioritize the mission critical elements that had to be addressed in order to resume departmental operations:
To get going, Progent followed AV/Malware Processes penetration response best practices by halting the spread and disinfecting systems. Progent then started the task of restoring Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without Windows AD, and the customerís financials and MRP applications utilized Microsoft SQL, which depends on Windows AD for security authorization to the data.
- Microsoft Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then helped perform reinstallations and hard drive recovery on essential servers. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Data Files) on various desktop computers and laptops to recover email information. A not too old off-line backup of the businesses financials/ERP software made it possible to return these required programs back servicing users. Although a large amount of work was left to recover fully from the Ryuk event, critical systems were recovered quickly:
"For the most part, the production line operation showed little impact and we produced all customer orders."
Over the following month critical milestones in the restoration process were accomplished in tight collaboration between Progent engineers and the customer:
- In-house web sites were restored with no loss of data.
- The MailStore Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory capabilities were fully recovered.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Ninety percent of the user workstations were fully operational.
"Much of what was accomplished in the initial days is mostly a haze for me, but our team will not forget the urgency each and every one of your team put in to give us our business back. Iíve entrusted Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This time was a Herculean accomplishment."
A likely business catastrophe was evaded due to results-oriented experts, a wide range of technical expertise, and close teamwork. Although in post mortem the crypto-ransomware penetration described here would have been shut down with advanced cyber security solutions and ISO/IEC 27001 best practices, team training, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we made it through the initial push. All of you did an fabulous job, and if anyone that helped is around the Chicago area, dinner is on me!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in San Diego UCSD a variety of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services utilize next-generation AI technology to uncover zero-day strains of ransomware that are able to get past traditional signature-based security solutions.
For San Diego UCSD 24x7x365 Ransomware Repair Services, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-based anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to address the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top features include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup processes and enables fast restoration of vital data, apps and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide world-class expertise to set up ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to deliver web-based control and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of analysis for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, monitor, reconfigure and debug their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when issues are detected. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that require important software patches, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management staff and your Progent engineering consultant so any potential problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save up to half of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.