Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a modern cyber pandemic that represents an existential danger for organizations unprepared for an attack. Multiple generations of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as frequent unnamed viruses, not only do encryption of on-line critical data but also infiltrate any available system backups. Information synched to cloud environments can also be encrypted. In a poorly architected data protection solution, this can make any restoration hopeless and basically sets the network back to square one.
Retrieving programs and data after a ransomware attack becomes a race against time as the targeted business struggles to stop the spread and clear the crypto-ransomware and to resume mission-critical operations. Because crypto-ransomware takes time to move laterally, attacks are frequently sprung on weekends, when penetrations in many cases take more time to detect. This compounds the difficulty of quickly marshalling and organizing a qualified response team.
Progent has a variety of help services for protecting organizations from crypto-ransomware events. Among these are user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with AI technology to rapidly identify and quarantine day-zero cyber threats. Progent also offers the assistance of expert ransomware recovery consultants with the skills and perseverance to rebuild a compromised network as soon as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will provide the keys to unencrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the mission-critical parts of your Information Technology environment. Without the availability of complete system backups, this requires a broad range of skill sets, professional project management, and the ability to work continuously until the recovery project is over.
For two decades, Progent has made available certified expert IT services for companies in Dallas and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise provides Progent the ability to efficiently ascertain necessary systems and organize the remaining pieces of your Information Technology environment following a crypto-ransomware event and rebuild them into an operational network.
Progent's security team has state-of-the-art project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of working swiftly and together with a customerís management and IT team members to assign priority to tasks and to put the most important applications back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Attack Response
A business hired Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored cybercriminals, suspected of using techniques leaked from the U.S. NSA organization. Ryuk attacks specific companies with little ability to sustain operational disruption and is one of the most lucrative examples of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area and has about 500 employees. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's backups had been online at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and hoping for good luck, but in the end made the decision to use Progent.
"I cannot speak enough in regards to the care Progent provided us during the most critical period of (our) companyís life. We most likely would have paid the hackers behind this attack if not for the confidence the Progent experts afforded us. The fact that you could get our messaging and production servers back on-line quicker than a week was earth shattering. Every single consultant I got help from or texted at Progent was urgently focused on getting my company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the client to quickly determine and assign priority to the key areas that had to be recovered in order to continue company operations:
To start, Progent followed AV/Malware Processes penetration mitigation industry best practices by halting the spread and removing active viruses. Progent then began the work of bringing back online Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the businessesí accounting and MRP applications utilized Microsoft SQL, which depends on Active Directory services for security authorization to the information.
- Windows Active Directory
- Electronic Mail
Within two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then completed setup and hard drive recovery of mission critical systems. All Exchange schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Offline Folder Files) on user workstations to recover email information. A not too old offline backup of the client's financials/MRP software made them able to restore these required applications back available to users. Although major work still had to be done to recover totally from the Ryuk damage, core services were returned to operations quickly:
"For the most part, the production operation was never shut down and we delivered all customer deliverables."
Throughout the next month important milestones in the recovery project were achieved through close collaboration between Progent consultants and the customer:
- Internal web sites were restored without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the user desktops and notebooks were being used by staff.
"A lot of what occurred during the initial response is mostly a haze for me, but my team will not soon forget the care each of your team put in to give us our business back. Iíve utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."
A potential enterprise-killing catastrophe was avoided through the efforts of top-tier professionals, a broad spectrum of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware virus incident detailed here could have been identified and prevented with modern security solutions and recognized best practices, user and IT administrator training, and well designed incident response procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has proven experience in crypto-ransomware virus defense, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), Iím grateful for letting me get rested after we got through the initial fire. All of you did an fabulous job, and if any of your team is around the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Dallas a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence technology to uncover new variants of ransomware that can escape detection by traditional signature-based security solutions.
For Dallas 24x7x365 Ransomware Removal Help, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection services deliver economical multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your company's specific needs and that allows you prove compliance with government and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent can also help you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup processes and allows rapid restoration of critical data, applications and VMs that have become lost or damaged as a result of component breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can assist you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security companies to provide web-based control and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and saves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of analysis for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration of almost all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding devices that require critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the state of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management staff and your assigned Progent consultant so that all looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.