Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a too-frequent cyberplague that represents an existential threat for businesses unprepared for an attack. Different iterations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause destruction. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as daily as yet unnamed viruses, not only encrypt on-line critical data but also infect any available system protection. Data replicated to the cloud can also be corrupted. In a poorly designed environment, this can make automatic restoration useless and basically sets the datacenter back to square one.
Restoring services and information following a ransomware event becomes a sprint against the clock as the targeted organization struggles to contain and remove the crypto-ransomware and to resume business-critical operations. Because ransomware needs time to spread, attacks are usually launched at night, when successful attacks are likely to take longer to uncover. This multiplies the difficulty of rapidly assembling and coordinating a capable response team.
Progent offers a variety of help services for protecting businesses from crypto-ransomware penetrations. These include user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with AI capabilities to automatically detect and quarantine new threats. Progent in addition offers the assistance of veteran ransomware recovery engineers with the track record and commitment to reconstruct a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed keys to decrypt any of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the mission-critical components of your Information Technology environment. Without access to full data backups, this requires a wide range of IT skills, top notch team management, and the willingness to work non-stop until the task is done.
For decades, Progent has offered expert Information Technology services for businesses in Baton Rouge and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise provides Progent the capability to quickly identify critical systems and consolidate the surviving components of your network environment following a crypto-ransomware event and rebuild them into a functioning network.
Progent's security team of experts has powerful project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of working swiftly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to get essential applications back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Penetration Recovery
A client sought out Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, suspected of using technology leaked from Americaís NSA organization. Ryuk attacks specific companies with little room for operational disruption and is among the most profitable instances of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for the best, but in the end utilized Progent.
"I canít speak enough about the care Progent provided us throughout the most stressful time of (our) businesses life. We may have had to pay the hackers behind this attack except for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and production applications back online sooner than 1 week was incredible. Each staff member I interacted with or messaged at Progent was laser focused on getting us restored and was working all day and night to bail us out."
Progent worked hand in hand the customer to rapidly determine and prioritize the most important areas that needed to be recovered to make it possible to restart departmental operations:
To get going, Progent adhered to ransomware penetration response industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the process of rebuilding Microsoft AD, the foundation of enterprise networks built upon Microsoft technology. Exchange messaging will not work without AD, and the customerís financials and MRP system utilized Microsoft SQL Server, which depends on Active Directory for security authorization to the databases.
- Microsoft Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery on essential applications. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to find local OST files (Outlook Email Offline Folder Files) on staff desktop computers and laptops in order to recover mail messages. A not too old off-line backup of the customerís accounting software made it possible to restore these essential applications back available to users. Although a large amount of work was left to recover totally from the Ryuk damage, core systems were recovered quickly:
"For the most part, the production operation ran fairly normal throughout and we produced all customer deliverables."
During the following couple of weeks important milestones in the restoration process were completed through tight collaboration between Progent team members and the client:
- Self-hosted web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical emails was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control functions were 100 percent restored.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what occurred in the early hours is nearly entirely a blur for me, but I will not soon forget the care each of the team accomplished to give us our business back. Iíve been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A possible business-ending catastrophe was evaded due to top-tier experts, a wide array of IT skills, and tight teamwork. Although in retrospect the crypto-ransomware attack detailed here should have been prevented with up-to-date security technology and best practices, team education, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for letting me get rested after we made it through the initial fire. All of you did an fabulous job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Baton Rouge a variety of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence technology to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based security products.
For Baton Rouge 24/7/365 Crypto-Ransomware Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to manage the complete malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) services offer economical multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also assist you to install and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows fast recovery of vital files, apps and VMs that have become lost or damaged as a result of component breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can deliver advanced support to configure ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper level of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map out, track, enhance and debug their connectivity appliances like routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating tedious network management processes, WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding devices that need important updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so that all looming problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.