Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an extinction-level threat for organizations unprepared for an assault. Different iterations of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. Newer versions of crypto-ransomware such as Ryuk and Hermes, plus daily as yet unnamed newcomers, not only encrypt on-line critical data but also infect all available system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, it can render automated restore operations useless and basically sets the network back to square one.
Getting back online applications and data after a crypto-ransomware event becomes a sprint against time as the victim struggles to contain and clear the virus and to resume mission-critical operations. Due to the fact that ransomware needs time to spread, penetrations are usually launched on weekends, when successful penetrations tend to take longer to detect. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable response team.
Progent provides an assortment of support services for securing businesses from ransomware attacks. Among these are staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with AI technology to intelligently identify and extinguish day-zero cyber threats. Progent also provides the assistance of seasoned crypto-ransomware recovery professionals with the track record and commitment to re-deploy a breached network as rapidly as possible.
Progent's Ransomware Recovery Services
After a ransomware event, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will provide the needed codes to decipher any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the key components of your IT environment. Without the availability of full data backups, this requires a wide range of skill sets, well-coordinated project management, and the ability to work non-stop until the recovery project is complete.
For twenty years, Progent has made available certified expert IT services for businesses in El Paso and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience affords Progent the ability to rapidly determine important systems and re-organize the surviving parts of your IT environment after a ransomware event and rebuild them into an operational system.
Progent's recovery team uses state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent knows the urgency of working rapidly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to get key systems back on line as soon as possible.
Case Study: A Successful Crypto-Ransomware Incident Response
A small business sought out Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored cybercriminals, possibly using algorithms leaked from the U.S. NSA organization. Ryuk targets specific organizations with little tolerance for operational disruption and is among the most lucrative examples of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago with around 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's backups had been online at the start of the attack and were encrypted. The client considered paying the ransom (in excess of $200K) and hoping for the best, but ultimately engaged Progent.
"I canít thank you enough in regards to the support Progent provided us throughout the most fearful time of (our) companyís existence. We may have had to pay the cyber criminals except for the confidence the Progent team provided us. The fact that you could get our messaging and essential servers back online sooner than 1 week was beyond my wildest dreams. Every single person I worked with or communicated with at Progent was amazingly focused on getting our system up and was working day and night on our behalf."
Progent worked with the customer to quickly identify and prioritize the essential areas that needed to be addressed in order to resume company functions:
To start, Progent adhered to ransomware penetration mitigation industry best practices by isolating and removing active viruses. Progent then initiated the process of bringing back online Microsoft AD, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the client's financials and MRP applications used Microsoft SQL Server, which depends on Windows AD for security authorization to the databases.
- Active Directory
- Electronic Mail
In less than two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of needed applications. All Exchange ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Off-Line Folder Files) on various workstations to recover mail data. A not too old offline backup of the customerís financials/MRP systems made them able to restore these essential services back online. Although significant work still had to be done to recover completely from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the production line operation was never shut down and we produced all customer orders."
Over the following few weeks important milestones in the recovery project were achieved in tight cooperation between Progent engineers and the client:
- Internal web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Nearly all of the user desktops were being used by staff.
"So much of what happened those first few days is mostly a fog for me, but my team will not forget the care each and every one of you accomplished to help get our company back. Iíve entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This situation was the most impressive ever."
A likely business-ending disaster was avoided due to top-tier professionals, a broad array of subject matter expertise, and close teamwork. Although in post mortem the ransomware attack detailed here would have been prevented with current cyber security solutions and best practices, staff training, and appropriate security procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thanks very much for making it so I could get some sleep after we got over the first week. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in El Paso a portfolio of online monitoring and security assessment services designed to assist you to minimize the threat from crypto-ransomware. These services include next-generation artificial intelligence technology to uncover new strains of ransomware that are able to escape detection by legacy signature-based security products.
For 24/7/365 El Paso Ransomware Remediation Services, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the complete malware attack lifecycle including blocking, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you prove compliance with legal and industry information protection standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require immediate action. Progent can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services offer small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of critical data, apps and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks most threats from reaching your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers as well as servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration information of almost all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, locating appliances that require important software patches, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management staff and your Progent consultant so that any potential issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can save as much as 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about ProSight IT Asset Management service.