Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict harm. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with more unnamed viruses, not only do encryption of on-line information but also infect any configured system backups. Information synchronized to cloud environments can also be ransomed. In a poorly designed system, this can make automatic recovery useless and basically knocks the datacenter back to square one.
Getting back applications and data following a ransomware outage becomes a race against the clock as the victim fights to contain and cleanup the virus and to resume mission-critical activity. Because ransomware needs time to spread, penetrations are usually launched at night, when successful penetrations are likely to take more time to identify. This compounds the difficulty of promptly mobilizing and orchestrating a knowledgeable mitigation team.
Progent provides an assortment of services for protecting enterprises from ransomware penetrations. These include team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with machine learning technology to quickly identify and quarantine zero-day cyber threats. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the skills and commitment to rebuild a compromised system as urgently as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt all your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the essential components of your IT environment. Without access to full system backups, this requires a wide complement of skill sets, professional team management, and the ability to work 24x7 until the job is done.
For decades, Progent has provided expert IT services for companies in Vitória and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of experience provides Progent the skills to rapidly determine important systems and consolidate the surviving pieces of your Information Technology environment following a ransomware penetration and rebuild them into an operational network.
Progent's security group deploys top notch project management tools to orchestrate the complicated restoration process. Progent understands the urgency of acting quickly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put critical systems back online as fast as humanly possible.
Case Study: A Successful Ransomware Penetration Response
A client escalated to Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored hackers, possibly adopting techniques leaked from the United States National Security Agency. Ryuk seeks specific companies with limited tolerance for disruption and is among the most lucrative instances of ransomware viruses. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area with around 500 workers. The Ryuk attack had brought down all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot say enough about the help Progent gave us throughout the most fearful time of (our) company’s survival. We had little choice but to pay the cyber criminals if it wasn’t for the confidence the Progent experts afforded us. That you were able to get our messaging and essential applications back into operation quicker than seven days was earth shattering. Each consultant I spoke to or communicated with at Progent was urgently focused on getting us restored and was working 24/7 to bail us out."
Progent worked with the customer to rapidly get our arms around and assign priority to the critical elements that needed to be restored in order to restart business operations:
To get going, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and cleaning systems of viruses. Progent then began the steps of rebuilding Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's MRP applications leveraged Microsoft SQL Server, which requires Active Directory services for access to the information.
- Active Directory (AD)
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of key servers. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Folder Files) on staff workstations and laptops to recover email information. A recent off-line backup of the client's financials/MRP systems made them able to restore these essential applications back on-line. Although major work remained to recover fully from the Ryuk attack, the most important services were returned to operations quickly:
"For the most part, the assembly line operation survived unscathed and we made all customer orders."
Throughout the following month important milestones in the recovery project were achieved through close collaboration between Progent engineers and the client:
- In-house web applications were brought back up with no loss of information.
- The MailStore Exchange Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were fully recovered.
- A new Palo Alto 850 security appliance was deployed.
- Most of the user workstations were being used by staff.
"A lot of what was accomplished that first week is mostly a blur for me, but we will not forget the urgency all of your team accomplished to give us our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."
A potential business disaster was avoided by dedicated experts, a broad range of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware penetration detailed here could have been identified and blocked with current cyber security technology and NIST Cybersecurity Framework best practices, user training, and well designed incident response procedures for backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get rested after we made it past the initial push. All of you did an fabulous job, and if any of your guys is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Vitória a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to detect zero-day strains of ransomware that are able to get past traditional signature-based security products.
For Vitória 24/7/365 CryptoLocker Remediation Help, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to automate the complete threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates your backup processes and enables fast restoration of critical files, apps and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can provide advanced support to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security companies to provide centralized control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, optimize and troubleshoot their connectivity hardware like switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept updated, captures and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating appliances that require important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progent’s server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT personnel and your Progent consultant so that any looming problems can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you’re making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.