Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with more as yet unnamed viruses, not only encrypt online critical data but also infect any configured system protection mechanisms. Information synched to cloud environments can also be ransomed. In a poorly architected data protection solution, this can render any recovery impossible and effectively sets the network back to zero.
Getting back on-line programs and information following a ransomware intrusion becomes a race against the clock as the targeted organization struggles to contain the damage and clear the ransomware and to restore enterprise-critical operations. Since crypto-ransomware needs time to move laterally, attacks are often sprung during weekends and nights, when penetrations are likely to take longer to discover. This multiplies the difficulty of promptly marshalling and orchestrating a qualified mitigation team.
Progent offers an assortment of solutions for securing organizations from ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with artificial intelligence capabilities to rapidly detect and extinguish day-zero cyber threats. Progent also provides the assistance of experienced ransomware recovery engineers with the skills and commitment to reconstruct a compromised environment as soon as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the codes to unencrypt all your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the key parts of your IT environment. Absent access to complete system backups, this calls for a broad complement of skills, professional team management, and the willingness to work 24x7 until the job is over.
For twenty years, Progent has made available certified expert Information Technology services for companies in Detroit and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience provides Progent the capability to efficiently determine critical systems and integrate the remaining parts of your IT environment after a crypto-ransomware event and rebuild them into an operational system.
Progent's ransomware team uses powerful project management applications to orchestrate the complex recovery process. Progent appreciates the urgency of acting quickly and in concert with a customerís management and Information Technology team members to prioritize tasks and to get essential systems back on line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A customer hired Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored hackers, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk seeks specific companies with little or no ability to sustain disruption and is among the most profitable instances of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the beginning of the intrusion and were damaged. The client considered paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
"I cannot speak enough in regards to the expertise Progent provided us during the most fearful period of (our) businesses life. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and key servers back faster than 1 week was something I thought impossible. Every single expert I got help from or texted at Progent was hell bent on getting our system up and was working all day and night to bail us out."
Progent worked together with the client to quickly determine and prioritize the critical areas that had to be addressed in order to resume company operations:
To get going, Progent followed ransomware penetration mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then began the task of rebuilding Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without AD, and the businessesí MRP system leveraged Microsoft SQL, which depends on Active Directory for security authorization to the information.
- Active Directory (AD)
- Electronic Mail
Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then assisted with setup and hard drive recovery on the most important applications. All Microsoft Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers and laptops to recover mail data. A not too old off-line backup of the businesses financials/ERP software made it possible to restore these vital services back online for users. Although significant work was left to recover totally from the Ryuk attack, core systems were restored quickly:
"For the most part, the production operation was never shut down and we did not miss any customer deliverables."
Throughout the following few weeks important milestones in the recovery project were made through tight collaboration between Progent team members and the customer:
- In-house web applications were restored without losing any data.
- The MailStore Server containing more than 4 million historical messages was spun up and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory modules were 100% functional.
- A new Palo Alto Networks 850 firewall was brought online.
- 90% of the user desktops and notebooks were back into operation.
"A lot of what occurred in the early hours is nearly entirely a blur for me, but I will not soon forget the dedication each and every one of you accomplished to give us our company back. Iíve entrusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered. This situation was no exception but maybe more Herculean."
A probable business disaster was dodged with results-oriented experts, a broad array of IT skills, and tight teamwork. Although in retrospect the ransomware penetration detailed here would have been identified and blocked with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get rested after we made it through the initial push. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Detroit a range of remote monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services include next-generation AI technology to uncover zero-day strains of crypto-ransomware that are able to escape detection by legacy signature-based security solutions.
For 24-7 Detroit Ransomware Cleanup Support Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack lifecycle including filtering, identification, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services provide small and medium-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates your backup activities and allows fast restoration of critical files, applications and VMs that have become lost or corrupted as a result of component failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can deliver advanced support to configure ProSight Data Protection Services to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your critical data. Read more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized management and comprehensive security for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of inspection for incoming email. For outbound email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating complex management processes, WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, locating devices that require critical updates, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management staff and your assigned Progent consultant so any potential issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect information related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can eliminate as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.