Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Multiple generations of ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as daily unnamed viruses, not only encrypt online critical data but also infect most available system backup. Files synched to cloud environments can also be ransomed. In a poorly designed data protection solution, it can render automatic restoration useless and basically knocks the network back to square one.
Getting back on-line programs and data after a ransomware event becomes a race against time as the victim tries its best to contain the damage and remove the ransomware and to restore mission-critical operations. Since ransomware takes time to move laterally, assaults are often launched during weekends and nights, when attacks in many cases take more time to uncover. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable mitigation team.
Progent provides a range of services for securing organizations from crypto-ransomware attacks. These include user training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with AI technology to quickly discover and extinguish zero-day cyber threats. Progent also provides the services of experienced crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a compromised system as soon as possible.
Progent's Ransomware Restoration Help
After a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the keys to unencrypt any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Absent access to complete information backups, this requires a broad range of skills, top notch team management, and the capability to work non-stop until the task is completed.
For decades, Progent has provided expert Information Technology services for companies in Durham and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience gives Progent the skills to knowledgably understand critical systems and integrate the surviving components of your IT system after a crypto-ransomware attack and assemble them into a functioning network.
Progent's security team of experts has state-of-the-art project management applications to coordinate the complicated restoration process. Progent knows the importance of working swiftly and in concert with a customerís management and Information Technology resources to prioritize tasks and to get the most important services back online as soon as humanly possible.
Customer Story: A Successful Ransomware Penetration Restoration
A business sought out Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state hackers, possibly adopting algorithms leaked from the United States NSA organization. Ryuk seeks specific businesses with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the attack and were damaged. The client considered paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end utilized Progent.
"I cannot tell you enough in regards to the expertise Progent provided us throughout the most critical time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts provided us. That you were able to get our e-mail and critical servers back online quicker than a week was beyond my wildest dreams. Every single consultant I spoke to or messaged at Progent was hell bent on getting us back online and was working at all hours to bail us out."
Progent worked together with the customer to rapidly get our arms around and assign priority to the key services that had to be addressed to make it possible to resume business functions:
To begin, Progent adhered to ransomware event mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the steps of bringing back online Microsoft Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the client's accounting and MRP system utilized Microsoft SQL Server, which needs Active Directory services for access to the databases.
- Active Directory
- MRP System
In less than 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery on essential servers. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user PCs to recover email data. A recent offline backup of the customerís accounting/ERP software made them able to recover these required services back online for users. Although significant work was left to recover totally from the Ryuk event, core systems were recovered quickly:
"For the most part, the production operation was never shut down and we did not miss any customer shipments."
Throughout the next month important milestones in the recovery project were achieved in tight cooperation between Progent team members and the customer:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% restored.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Nearly all of the user desktops and notebooks were being used by staff.
"A huge amount of what transpired in the initial days is mostly a fog for me, but my management will not soon forget the care each of the team accomplished to give us our business back. Iíve utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was the most impressive ever."
A probable company-ending disaster was averted through the efforts of results-oriented experts, a broad spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus incident described here would have been identified and disabled with modern security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out security procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get rested after we got through the initial fire. Everyone did an impressive job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Durham a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize modern AI capability to uncover zero-day strains of ransomware that can evade legacy signature-based security solutions.
For Durham 24x7x365 Ransomware Repair Support Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to automate the complete malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid restoration of critical files, applications and virtual machines that have become lost or corrupted as a result of hardware failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your critical information. Read more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security companies to provide centralized control and world-class protection for all your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of analysis for incoming email. For outgoing email, the local security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to map, monitor, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are discovered. By automating complex management processes, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, finding appliances that need important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management technology to help keep your network operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your specified IT management staff and your Progent consultant so any potential issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.