Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with more as yet unnamed viruses, not only encrypt on-line data files but also infiltrate any available system backups. Files replicated to the cloud can also be rendered useless. In a vulnerable data protection solution, this can render automated restoration useless and effectively knocks the network back to square one.
Getting back on-line programs and data following a crypto-ransomware intrusion becomes a race against time as the targeted organization fights to stop lateral movement and eradicate the crypto-ransomware and to restore business-critical operations. Because ransomware takes time to replicate, assaults are frequently launched during nights and weekends, when successful attacks may take longer to detect. This compounds the difficulty of promptly marshalling and orchestrating a capable response team.
Progent offers a range of solutions for protecting enterprises from ransomware penetrations. Among these are staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with machine learning technology to automatically identify and suppress day-zero cyber threats. Progent also provides the services of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a compromised system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the codes to decrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the critical components of your Information Technology environment. Without access to full system backups, this calls for a broad range of skills, professional project management, and the capability to work continuously until the recovery project is over.
For two decades, Progent has offered expert Information Technology services for businesses in Garland and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience gives Progent the ability to rapidly understand important systems and re-organize the remaining parts of your Information Technology environment following a ransomware event and configure them into an operational system.
Progent's security group deploys best of breed project management systems to orchestrate the sophisticated restoration process. Progent understands the urgency of working quickly and in concert with a customerís management and IT staff to prioritize tasks and to get key systems back online as soon as humanly possible.
Case Study: A Successful Ransomware Attack Response
A business sought out Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state cybercriminals, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk seeks specific companies with limited tolerance for operational disruption and is among the most lucrative instances of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk penetration had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but in the end engaged Progent.
"I cannot thank you enough about the care Progent gave us throughout the most fearful period of (our) companyís survival. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and production applications back sooner than five days was earth shattering. Each consultant I worked with or e-mailed at Progent was amazingly focused on getting us back online and was working 24/7 to bail us out."
Progent worked hand in hand the customer to quickly understand and prioritize the key services that needed to be addressed in order to restart departmental operations:
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping lateral movement and clearing infected systems. Progent then started the task of rebuilding Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange email will not work without Active Directory, and the client's financials and MRP applications leveraged Microsoft SQL Server, which depends on Windows AD for authentication to the databases.
- Windows Active Directory
In less than 48 hours, Progent was able to recover Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery of needed servers. All Microsoft Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on team PCs and laptops in order to recover mail data. A recent offline backup of the customerís accounting software made them able to restore these essential programs back online for users. Although a large amount of work still had to be done to recover fully from the Ryuk event, essential systems were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we produced all customer deliverables."
Throughout the next couple of weeks important milestones in the restoration process were accomplished through close collaboration between Progent engineers and the customer:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Server with over 4 million archived emails was brought online and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control modules were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was installed.
- Nearly all of the user PCs were operational.
"A huge amount of what went on in the initial days is mostly a blur for me, but we will not soon forget the countless hours all of you put in to give us our business back. I have utilized Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."
A potential business extinction disaster was dodged with results-oriented experts, a broad array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here should have been disabled with advanced security systems and best practices, user education, and well designed security procedures for information protection and applying software patches, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has extensive experience in ransomware virus defense, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thank you for letting me get rested after we made it past the initial fire. All of you did an amazing job, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Garland a variety of online monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services include next-generation artificial intelligence capability to uncover zero-day strains of ransomware that can evade traditional signature-based security solutions.
For Garland 24x7x365 Ransomware Removal Help, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the entire threat lifecycle including protection, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within one agent managed from a single control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery. For a low monthly price, ProSight Data Protection Services automates your backup activities and allows rapid restoration of vital data, applications and VMs that have become lost or damaged as a result of hardware breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's BDR consultants can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide centralized management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further layer of inspection for incoming email. For outgoing email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when problems are detected. By automating time-consuming management activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need critical updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management personnel and your Progent consultant so that all looming issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to a different hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.