Ransomware : Your Feared IT Disaster
Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses vulnerable to an attack. Different iterations of crypto-ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and still cause havoc. Modern variants of ransomware like Ryuk and Hermes, along with more unnamed malware, not only do encryption of online data files but also infect any available system backup. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, it can render automated restoration impossible and basically knocks the network back to zero.
Retrieving programs and data after a ransomware event becomes a race against time as the targeted organization tries its best to contain and clear the ransomware and to restore mission-critical activity. Because ransomware requires time to replicate, assaults are often launched during nights and weekends, when successful penetrations may take more time to identify. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable response team.
Progent makes available an assortment of support services for protecting businesses from ransomware attacks. These include staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with machine learning technology to intelligently discover and extinguish new threats. Progent also can provide the services of experienced ransomware recovery consultants with the talent and commitment to reconstruct a compromised network as urgently as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed codes to unencrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the critical components of your Information Technology environment. Absent access to complete information backups, this calls for a broad range of skills, top notch project management, and the ability to work non-stop until the recovery project is over.
For twenty years, Progent has offered expert Information Technology services for companies in Baton Rouge and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the skills to quickly understand important systems and consolidate the surviving components of your Information Technology system after a ransomware penetration and configure them into an operational system.
Progent's security team utilizes top notch project management systems to orchestrate the complicated restoration process. Progent understands the importance of acting swiftly and together with a client's management and Information Technology staff to prioritize tasks and to put the most important services back on-line as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Incident Recovery
A client contacted Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, suspected of adopting approaches exposed from the United States National Security Agency. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative examples of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago and has around 500 staff members. The Ryuk intrusion had disabled all business operations and manufacturing processes. The majority of the client's information backups had been online at the time of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end called Progent.
"I canít speak enough in regards to the care Progent gave us throughout the most critical period of (our) companyís existence. We may have had to pay the Hackers if not for the confidence the Progent group provided us. The fact that you could get our messaging and important applications back sooner than 1 week was earth shattering. Every single consultant I interacted with or texted at Progent was urgently focused on getting us back on-line and was working day and night on our behalf."
Progent worked together with the client to quickly identify and assign priority to the critical applications that needed to be addressed in order to continue company functions:
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by halting the spread and disinfecting systems. Progent then initiated the work of recovering Microsoft AD, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's accounting and MRP software leveraged SQL Server, which requires Windows AD for access to the database.
- Active Directory
- Microsoft Exchange
Within 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery on mission critical applications. All Microsoft Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Data Files) on team desktop computers in order to recover mail information. A recent offline backup of the client's financials/MRP systems made them able to return these required applications back available to users. Although major work remained to recover totally from the Ryuk virus, the most important services were restored rapidly:
"For the most part, the manufacturing operation showed little impact and we delivered all customer deliverables."
Over the following couple of weeks critical milestones in the restoration process were accomplished in close cooperation between Progent consultants and the client:
- In-house web sites were returned to operation without losing any information.
- The MailStore Exchange Server exceeding 4 million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory capabilities were fully functional.
- A new Palo Alto 850 firewall was set up and programmed.
- Most of the user desktops and notebooks were functioning as before the incident.
"A lot of what was accomplished in the early hours is mostly a haze for me, but our team will not forget the care each of you accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and each time Progent has come through and delivered as promised. This situation was the most impressive ever."
A potential enterprise-killing disaster was averted by results-oriented professionals, a wide range of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here would have been blocked with current security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate security procedures for backup and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for letting me get some sleep after we made it through the most critical parts. All of you did an incredible job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Baton Rouge a variety of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services utilize modern AI technology to uncover zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
For 24-Hour Baton Rouge Crypto Removal Help, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to address the complete malware attack lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your company's unique requirements and that helps you prove compliance with government and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of vital data, apps and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can deliver world-class expertise to configure ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical data. Find out more about ProSight DPS Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to deliver centralized management and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, track, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding appliances that need critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT personnel and your Progent engineering consultant so all potential problems can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate up to half of time spent looking for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about ProSight IT Asset Management service.