Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses vulnerable to an attack. Versions of crypto-ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as frequent as yet unnamed newcomers, not only encrypt online critical data but also infiltrate all configured system restores and backups. Files synchronized to the cloud can also be corrupted. In a poorly designed system, it can render any restore operations useless and effectively sets the entire system back to square one.
Restoring applications and data after a crypto-ransomware event becomes a race against time as the victim tries its best to stop lateral movement and eradicate the virus and to restore mission-critical activity. Due to the fact that crypto-ransomware requires time to replicate, assaults are usually sprung during nights and weekends, when successful penetrations typically take longer to discover. This compounds the difficulty of quickly mobilizing and coordinating a capable mitigation team.
Progent makes available an assortment of help services for securing enterprises from ransomware penetrations. Among these are team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with machine learning technology to rapidly detect and extinguish new cyber attacks. Progent also can provide the assistance of veteran ransomware recovery consultants with the track record and perseverance to reconstruct a compromised environment as quickly as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed codes to decrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the key elements of your IT environment. Without the availability of full information backups, this requires a broad complement of IT skills, well-coordinated project management, and the ability to work non-stop until the recovery project is over.
For two decades, Progent has made available certified expert IT services for companies in El Paso and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded top certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of experience gives Progent the capability to quickly ascertain necessary systems and consolidate the remaining parts of your IT system after a ransomware event and configure them into a functioning system.
Progent's security group has best of breed project management applications to orchestrate the complicated restoration process. Progent understands the importance of working swiftly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to get critical applications back on line as soon as possible.
Case Study: A Successful Ransomware Virus Recovery
A small business hired Progent after their network system was crashed by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk attacks specific companies with little ability to sustain disruption and is one of the most lucrative iterations of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has around 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end engaged Progent.
"I cannot say enough about the care Progent gave us throughout the most stressful period of (our) companyís life. We had little choice but to pay the cyber criminals except for the confidence the Progent team gave us. That you could get our messaging and important applications back on-line quicker than seven days was something I thought impossible. Every single staff member I interacted with or e-mailed at Progent was laser focused on getting us back on-line and was working 24 by 7 to bail us out."
Progent worked hand in hand the client to quickly identify and assign priority to the critical elements that had to be addressed in order to continue company operations:
To begin, Progent followed ransomware event response best practices by halting the spread and clearing infected systems. Progent then began the process of rebuilding Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not function without Active Directory, and the customerís financials and MRP applications used Microsoft SQL, which requires Windows AD for authentication to the databases.
- Microsoft Active Directory
- Exchange Server
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then helped perform setup and hard drive recovery of critical servers. All Microsoft Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Offline Folder Files) on team desktop computers and laptops in order to recover mail data. A recent off-line backup of the businesses accounting/MRP software made them able to recover these required services back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, core services were returned to operations quickly:
"For the most part, the production operation was never shut down and we produced all customer deliverables."
Throughout the following month critical milestones in the restoration project were achieved through tight collaboration between Progent engineers and the client:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Exchange Server containing more than four million historical emails was brought on-line and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory modules were 100% recovered.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the user workstations were functioning as before the incident.
"So much of what was accomplished that first week is mostly a blur for me, but our team will not forget the commitment all of your team put in to give us our business back. Iíve been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a life saver."
A possible company-ending catastrophe was evaded by hard-working professionals, a wide range of knowledge, and close teamwork. Although in hindsight the crypto-ransomware incident detailed here should have been disabled with current cyber security solutions and best practices, team training, and well thought out incident response procedures for data backup and applying software patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get some sleep after we made it over the initial push. All of you did an impressive effort, and if any of your guys is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in El Paso a variety of remote monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
For El Paso 24x7 CryptoLocker Recovery Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to address the entire threat lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end solution for secure backup/disaster recovery. For a low monthly price, ProSight DPS automates your backup processes and allows rapid restoration of vital files, apps and virtual machines that have become lost or corrupted as a result of component failures, software glitches, disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver advanced support to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your business-critical information. Find out more about ProSight DPS Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security vendors to provide centralized control and world-class security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, track, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating complex management and troubleshooting activities, WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, locating appliances that need important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so that all looming problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard data related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about ProSight IT Asset Management service.