Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware has become an escalating cyberplague that poses an existential danger for businesses unprepared for an assault. Multiple generations of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still inflict destruction. The latest versions of ransomware like Ryuk and Hermes, along with frequent unnamed viruses, not only encrypt on-line data files but also infiltrate most configured system backup. Information replicated to cloud environments can also be ransomed. In a vulnerable environment, it can make any restoration useless and basically sets the datacenter back to zero.
Getting back on-line applications and information after a ransomware intrusion becomes a race against the clock as the victim tries its best to contain and cleanup the ransomware and to restore mission-critical operations. Because ransomware needs time to spread, penetrations are often sprung on weekends, when attacks may take more time to recognize. This compounds the difficulty of quickly mobilizing and organizing an experienced response team.
Progent provides a variety of help services for protecting businesses from ransomware penetrations. These include staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with machine learning technology to intelligently discover and extinguish zero-day cyber attacks. Progent in addition offers the services of seasoned ransomware recovery consultants with the talent and commitment to reconstruct a breached network as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the needed codes to unencrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the critical parts of your IT environment. Absent the availability of essential data backups, this calls for a broad range of IT skills, well-coordinated project management, and the willingness to work 24x7 until the job is completed.
For decades, Progent has offered professional IT services for companies in Dallas and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise affords Progent the ability to knowledgably ascertain necessary systems and consolidate the surviving pieces of your Information Technology system after a crypto-ransomware attack and assemble them into a functioning system.
Progent's recovery group uses best of breed project management applications to coordinate the complicated restoration process. Progent knows the importance of acting quickly and in unison with a customerís management and IT resources to assign priority to tasks and to get critical applications back on-line as soon as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer escalated to Progent after their network system was crashed by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little tolerance for operational disruption and is among the most lucrative incarnations of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with about 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom (exceeding $200,000) and hoping for good luck, but ultimately engaged Progent.
"I canít thank you enough about the support Progent gave us during the most critical period of (our) businesses life. We had little choice but to pay the criminal gangs if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and production servers back on-line in less than seven days was earth shattering. Each consultant I interacted with or communicated with at Progent was urgently focused on getting us working again and was working all day and night to bail us out."
Progent worked together with the customer to rapidly assess and assign priority to the mission critical areas that had to be addressed to make it possible to continue departmental functions:
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by halting the spread and performing virus removal steps. Progent then initiated the process of bringing back online Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange email will not operate without AD, and the client's accounting and MRP applications used Microsoft SQL, which depends on Windows AD for authentication to the data.
- Active Directory
- Electronic Mail
In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery of the most important systems. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST data files (Outlook Offline Folder Files) on various desktop computers and laptops to recover mail information. A not too old off-line backup of the customerís manufacturing software made them able to restore these essential applications back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk damage, critical systems were restored quickly:
"For the most part, the production operation did not miss a beat and we produced all customer shipments."
Over the following couple of weeks important milestones in the restoration project were completed through tight cooperation between Progent team members and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived emails was spun up and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully operational.
- A new Palo Alto 850 security appliance was installed.
- 90% of the user desktops and notebooks were back into operation.
"A lot of what occurred that first week is mostly a blur for me, but I will not soon forget the dedication all of your team put in to give us our business back. Iíve utilized Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a life saver."
A possible company-ending catastrophe was averted due to top-tier experts, a wide spectrum of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here could have been identified and blocked with up-to-date security solutions and NIST Cybersecurity Framework best practices, staff education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of experts has extensive experience in ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for letting me get some sleep after we made it past the initial fire. Everyone did an fabulous effort, and if anyone is visiting the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Dallas a variety of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence technology to detect zero-day variants of crypto-ransomware that can evade legacy signature-based security solutions.
For Dallas 24/7/365 Crypto Repair Consulting, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-matching AV products. ProSight ASM protects local and cloud resources and provides a single platform to manage the entire malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent attention. Progent can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates your backup activities and allows rapid recovery of vital files, applications and VMs that have become unavailable or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FIRPA, and PCI and, when needed, can assist you to recover your business-critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to provide web-based management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, monitor, enhance and debug their networking hardware like routers, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious management processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding devices that require critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT personnel and your assigned Progent consultant so any looming problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.