Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict harm. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, plus frequent unnamed newcomers, not only do encryption of on-line critical data but also infect most configured system backups. Information replicated to the cloud can also be rendered useless. In a poorly designed environment, it can render any restoration hopeless and basically sets the network back to zero.
Restoring services and data after a ransomware outage becomes a sprint against the clock as the victim tries its best to contain and cleanup the crypto-ransomware and to resume enterprise-critical activity. Since ransomware takes time to move laterally, attacks are usually launched on weekends and holidays, when successful penetrations in many cases take longer to recognize. This compounds the difficulty of rapidly marshalling and coordinating an experienced mitigation team.
Progent offers an assortment of services for securing organizations from crypto-ransomware penetrations. These include team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security appliances with machine learning technology to quickly discover and extinguish new threats. Progent also offers the services of seasoned ransomware recovery engineers with the track record and commitment to re-deploy a compromised environment as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the keys to decrypt any or all of your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the mission-critical parts of your IT environment. Absent the availability of complete data backups, this calls for a broad complement of skills, well-coordinated project management, and the willingness to work non-stop until the task is finished.
For two decades, Progent has made available professional Information Technology services for businesses in Vitória and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of experience provides Progent the ability to efficiently identify necessary systems and integrate the remaining pieces of your computer network system following a crypto-ransomware attack and configure them into an operational network.
Progent's ransomware team deploys best of breed project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of acting rapidly and together with a customer’s management and IT resources to prioritize tasks and to put essential applications back on-line as fast as possible.
Business Case Study: A Successful Ransomware Penetration Recovery
A small business escalated to Progent after their company was brought down by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk attacks specific businesses with limited tolerance for operational disruption and is among the most profitable incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk penetration had shut down all business operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately brought in Progent.
"I cannot tell you enough in regards to the support Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the cyber criminals if it wasn’t for the confidence the Progent group afforded us. That you could get our messaging and important applications back on-line faster than one week was something I thought impossible. Every single expert I talked with or communicated with at Progent was hell bent on getting us operational and was working 24/7 to bail us out."
Progent worked with the customer to quickly understand and assign priority to the essential systems that needed to be recovered to make it possible to continue company operations:
To start, Progent adhered to Anti-virus event mitigation best practices by halting the spread and disinfecting systems. Progent then started the process of rebuilding Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without AD, and the businesses’ financials and MRP system leveraged Microsoft SQL, which needs Active Directory for access to the data.
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of critical systems. All Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on various PCs in order to recover mail data. A recent offline backup of the customer’s manufacturing software made them able to return these vital programs back on-line. Although a lot of work remained to recover completely from the Ryuk attack, the most important systems were restored rapidly:
"For the most part, the assembly line operation survived unscathed and we delivered all customer orders."
Throughout the next couple of weeks key milestones in the restoration process were accomplished in tight collaboration between Progent engineers and the customer:
- In-house web applications were brought back up with no loss of information.
- The MailStore Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 firewall was deployed.
- Nearly all of the user workstations were fully operational.
"So much of what was accomplished in the early hours is mostly a fog for me, but we will not soon forget the urgency each and every one of you accomplished to help get our company back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was the most impressive ever."
A likely company-ending disaster was dodged with top-tier professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus penetration described here could have been identified and disabled with up-to-date cyber security solutions and best practices, staff education, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, removal, and data restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we got past the initial fire. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Vitória a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to uncover new strains of crypto-ransomware that are able to evade legacy signature-based anti-virus solutions.
For Vitória 24/7/365 Crypto Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to automate the complete threat progression including filtering, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection services deliver economical multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering through leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that meets your company's specific needs and that allows you prove compliance with legal and industry data protection standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed service for secure backup/disaster recovery (BDR). Available at a low monthly rate, ProSight DPS automates and monitors your backup activities and allows rapid recovery of critical data, apps and VMs that have become lost or corrupted as a result of component failures, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can deliver world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to deliver centralized control and comprehensive security for all your email traffic. The powerful structure of Email Guard combines cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device provides a further layer of inspection for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their connectivity appliances such as routers, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating time-consuming network management processes, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progent’s server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT management staff and your assigned Progent consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you’re making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.