Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations poorly prepared for an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still cause havoc. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as more as yet unnamed malware, not only encrypt online data files but also infect many configured system backups. Data synched to the cloud can also be corrupted. In a poorly architected environment, this can make automatic restore operations impossible and effectively sets the network back to square one.
Getting back online applications and information after a ransomware outage becomes a race against the clock as the victim tries its best to contain the damage and cleanup the crypto-ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are usually sprung during nights and weekends, when successful penetrations may take longer to uncover. This multiplies the difficulty of rapidly mobilizing and organizing a knowledgeable mitigation team.
Progent has an assortment of solutions for protecting businesses from ransomware events. Among these are team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security appliances with AI technology to rapidly discover and disable new threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the talent and commitment to re-deploy a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the keys to decrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the mission-critical elements of your Information Technology environment. Without the availability of full information backups, this requires a wide complement of skills, professional team management, and the willingness to work 24x7 until the task is done.
For two decades, Progent has made available expert IT services for companies in Dayton and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly understand important systems and organize the remaining parts of your network environment following a ransomware penetration and configure them into an operational network.
Progent's security team of experts has state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of acting swiftly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get critical systems back on-line as soon as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A business escalated to Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk attacks specific companies with little room for operational disruption and is one of the most lucrative versions of ransomware viruses. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has around 500 staff members. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's system backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200K) and praying for good luck, but in the end brought in Progent.
"I canít speak enough about the help Progent provided us throughout the most critical time of (our) companyís life. We would have paid the cyber criminals behind the attack except for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and critical servers back into operation sooner than seven days was earth shattering. Each consultant I interacted with or e-mailed at Progent was absolutely committed on getting us operational and was working non-stop on our behalf."
Progent worked together with the customer to quickly understand and assign priority to the key elements that needed to be restored in order to resume business functions:
To start, Progent followed AV/Malware Processes event response best practices by isolating and cleaning up infected systems. Progent then started the steps of rebuilding Windows Active Directory, the core of enterprise systems built on Microsoft technology. Exchange messaging will not operate without Active Directory, and the customerís financials and MRP software utilized Microsoft SQL, which needs Windows AD for access to the database.
- Windows Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then helped perform rebuilding and storage recovery on essential applications. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Offline Data Files) on team desktop computers in order to recover email data. A recent offline backup of the businesses accounting/ERP systems made it possible to return these essential applications back online. Although major work was left to recover fully from the Ryuk event, the most important systems were recovered rapidly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer orders."
Over the following couple of weeks key milestones in the restoration project were made through close cooperation between Progent team members and the customer:
- In-house web applications were restored with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory functions were 100% restored.
- A new Palo Alto 850 firewall was brought online.
- Most of the user PCs were functioning as before the incident.
"A huge amount of what was accomplished in the early hours is nearly entirely a blur for me, but I will not soon forget the commitment all of you put in to give us our business back. Iíve utilized Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered. This event was the most impressive ever."
A probable company-ending disaster was evaded by results-oriented professionals, a broad array of technical expertise, and tight collaboration. Although in hindsight the ransomware virus incident described here would have been shut down with current security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for information protection and applying software patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), Iím grateful for allowing me to get some sleep after we made it through the initial fire. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Dayton a variety of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning capability to detect zero-day variants of ransomware that can get past traditional signature-based security products.
For Dayton 24x7x365 Crypto-Ransomware Removal Consultants, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection managed services deliver economical multi-layer protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP deployment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also help you to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight DPS automates and monitors your backup processes and enables fast recovery of vital data, applications and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to recover your critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide web-based management and comprehensive security for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, enhance and troubleshoot their connectivity hardware like routers and switches, firewalls, and access points plus servers, endpoints and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are kept current, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so all potential problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time spent looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.