Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. Recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus additional unnamed malware, not only encrypt online data but also infiltrate any configured system backups. Information synched to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can make automatic restore operations hopeless and basically knocks the entire system back to square one.
Getting back online services and data after a ransomware outage becomes a sprint against time as the victim fights to contain and eradicate the ransomware and to restore mission-critical operations. Since crypto-ransomware takes time to replicate, attacks are usually launched at night, when successful attacks tend to take more time to discover. This compounds the difficulty of rapidly marshalling and coordinating a capable mitigation team.
Progent makes available a range of support services for protecting enterprises from ransomware penetrations. Among these are team member training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security appliances with machine learning technology to automatically discover and suppress new cyber threats. Progent in addition offers the services of experienced ransomware recovery professionals with the track record and commitment to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom in cryptocurrency does not guarantee that cyber criminals will provide the needed keys to decrypt any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the vital parts of your Information Technology environment. Absent the availability of full data backups, this calls for a broad complement of skills, professional team management, and the willingness to work non-stop until the task is complete.
For decades, Progent has made available professional IT services for businesses in Uniondale and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the ability to efficiently ascertain critical systems and consolidate the surviving components of your IT system following a crypto-ransomware attack and assemble them into an operational network.
Progent's ransomware team of experts uses top notch project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of working quickly and together with a client's management and Information Technology resources to prioritize tasks and to put key systems back on line as soon as humanly possible.
Customer Story: A Successful Ransomware Attack Recovery
A customer engaged Progent after their organization was attacked by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state hackers, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk seeks specific companies with limited room for disruption and is among the most lucrative examples of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's backups had been online at the time of the attack and were destroyed. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately reached out to Progent.
"I cannot thank you enough about the care Progent provided us throughout the most critical time of (our) companyís life. We may have had to pay the cybercriminals if not for the confidence the Progent team gave us. That you could get our e-mail system and essential servers back on-line quicker than 1 week was beyond my wildest dreams. Every single expert I worked with or communicated with at Progent was urgently focused on getting us working again and was working day and night on our behalf."
Progent worked together with the client to quickly determine and prioritize the mission critical applications that had to be restored in order to restart departmental functions:
To start, Progent followed ransomware penetration mitigation best practices by isolating and disinfecting systems. Progent then began the process of bringing back online Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without Windows AD, and the customerís financials and MRP applications utilized Microsoft SQL, which requires Active Directory for authentication to the database.
- Windows Active Directory
Within two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on essential applications. All Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Folder Files) on user workstations and laptops to recover email information. A recent off-line backup of the client's accounting/ERP software made them able to restore these essential services back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, the most important services were recovered rapidly:
"For the most part, the production manufacturing operation was never shut down and we made all customer sales."
During the next few weeks important milestones in the recovery process were accomplished in tight collaboration between Progent engineers and the customer:
- Internal web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100 percent operational.
- A new Palo Alto 850 firewall was installed.
- Most of the desktops and laptops were fully operational.
"A lot of what went on that first week is mostly a haze for me, but my team will not soon forget the dedication each of you accomplished to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has shined and delivered. This event was no exception but maybe more Herculean."
A likely business extinction catastrophe was averted by dedicated professionals, a broad array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration described here could have been identified and stopped with modern cyber security systems and recognized best practices, user training, and appropriate incident response procedures for information protection and proper patching controls, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, mitigation, and file recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we made it past the initial fire. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Uniondale a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning capability to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based security solutions.
For Uniondale 24x7x365 Ransomware Removal Services, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily escape legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to automate the entire threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with legal and industry information security standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery. For a fixed monthly price, ProSight DPS automates and monitors your backup activities and allows rapid restoration of critical data, apps and VMs that have become lost or damaged as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to recover your critical data. Learn more about ProSight DPS Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to provide web-based control and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of analysis for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email that stays within your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, optimize and troubleshoot their connectivity appliances like switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, locating devices that need important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT management personnel and your Progent engineering consultant so all potential issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for vital information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.