Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with frequent unnamed malware, not only do encryption of on-line information but also infect many configured system backups. Data replicated to cloud environments can also be rendered useless. In a poorly architected environment, this can render automatic restore operations useless and basically knocks the entire system back to zero.
Getting back on-line applications and information following a crypto-ransomware attack becomes a sprint against time as the victim struggles to stop lateral movement and eradicate the ransomware and to resume mission-critical activity. Since ransomware needs time to move laterally, attacks are usually launched during weekends and nights, when attacks in many cases take more time to recognize. This compounds the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.
Progent provides a range of solutions for securing organizations from crypto-ransomware attacks. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with artificial intelligence capabilities to intelligently identify and suppress day-zero cyber threats. Progent in addition can provide the assistance of expert ransomware recovery consultants with the track record and commitment to restore a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
Following a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the codes to unencrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the key elements of your IT environment. Absent access to essential system backups, this requires a wide complement of skills, top notch project management, and the willingness to work continuously until the task is complete.
For two decades, Progent has made available expert IT services for companies in Greensboro and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of experience affords Progent the skills to efficiently ascertain critical systems and organize the surviving components of your network system after a crypto-ransomware attack and assemble them into a functioning system.
Progent's ransomware team uses powerful project management applications to coordinate the complicated recovery process. Progent appreciates the importance of working swiftly and in concert with a customerís management and IT staff to prioritize tasks and to get essential services back online as fast as possible.
Client Story: A Successful Ransomware Incident Restoration
A small business engaged Progent after their network was crashed by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored hackers, suspected of using approaches leaked from Americaís NSA organization. Ryuk targets specific companies with little ability to sustain disruption and is among the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. The majority of the client's data protection had been on-line at the time of the intrusion and were destroyed. The client was evaluating paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end reached out to Progent.
"I cannot say enough in regards to the help Progent provided us during the most critical period of (our) businesses existence. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group provided us. The fact that you could get our e-mail and important applications back on-line quicker than seven days was beyond my wildest dreams. Every single expert I talked with or messaged at Progent was amazingly focused on getting our company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to quickly understand and assign priority to the most important systems that needed to be recovered to make it possible to resume business functions:
To get going, Progent adhered to ransomware penetration mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then started the work of bringing back online Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without AD, and the businessesí financials and MRP applications utilized Microsoft SQL Server, which needs Active Directory services for access to the information.
- Active Directory (AD)
In less than 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then initiated reinstallations and storage recovery of mission critical servers. All Microsoft Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Data Files) on team desktop computers to recover mail messages. A recent offline backup of the businesses manufacturing systems made them able to recover these vital applications back servicing users. Although major work needed to be completed to recover completely from the Ryuk event, essential systems were recovered rapidly:
"For the most part, the production operation ran fairly normal throughout and we produced all customer sales."
During the following few weeks critical milestones in the recovery project were completed in tight cooperation between Progent consultants and the customer:
- In-house web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was brought online and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory capabilities were fully restored.
- A new Palo Alto 850 firewall was deployed.
- Most of the desktops and laptops were being used by staff.
"Much of what occurred those first few days is nearly entirely a blur for me, but we will not soon forget the care all of the team accomplished to help get our business back. I have utilized Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered as promised. This event was a life saver."
A possible business-killing disaster was averted by hard-working experts, a wide spectrum of technical expertise, and tight teamwork. Although in retrospect the ransomware incident detailed here could have been identified and blocked with current cyber security technology solutions and recognized best practices, user training, and well thought out security procedures for information backup and applying software patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), Iím grateful for allowing me to get some sleep after we made it over the first week. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is on me!"
To read or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Greensboro a portfolio of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services incorporate modern machine learning capability to detect zero-day variants of ransomware that can get past traditional signature-based security products.
For Greensboro 24/7 Crypto Removal Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to address the complete threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also help you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Backup and Disaster Recovery Services
Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow transparent backup and fast recovery of important files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application bugs. Managed backup services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are best suited for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver web-based management and world-class protection for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating appliances that need critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your network running at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management staff and your Progent engineering consultant so that all looming issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
- Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Center: Call Center Managed Services
Progent's Support Center managed services enable your IT team to offload Support Desk services to Progent or divide activity for Service Desk support transparently between your internal support group and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a smooth extension of your corporate network support organization. User access to the Help Desk, provision of support, escalation, ticket generation and tracking, efficiency metrics, and management of the service database are consistent regardless of whether issues are resolved by your core support group, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.
- Progent's Patch Management: Patch Management Services
Progent's managed services for patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. Besides optimizing the protection and reliability of your IT environment, Progent's patch management services permit your in-house IT staff to concentrate on line-of-business initiatives and activities that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with Apple iOS, Android, and other personal devices. With 2FA, whenever you log into a protected application and give your password you are requested to confirm your identity via a unit that only you have and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can register multiple verification devices. To learn more about Duo identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.