Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyber pandemic that presents an existential threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict harm. The latest variants of ransomware like Ryuk and Hermes, along with frequent as yet unnamed malware, not only do encryption of on-line information but also infect any configured system backups. Information synchronized to cloud environments can also be ransomed. In a poorly designed environment, it can render any restoration impossible and effectively sets the datacenter back to zero.
Getting back online applications and data after a ransomware intrusion becomes a race against time as the victim fights to stop lateral movement and remove the crypto-ransomware and to resume enterprise-critical operations. Since ransomware requires time to move laterally, penetrations are usually launched at night, when attacks are likely to take more time to discover. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable response team.
Progent offers an assortment of support services for securing organizations from ransomware penetrations. These include user education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with AI capabilities to rapidly identify and disable zero-day threats. Progent in addition can provide the services of veteran ransomware recovery engineers with the skills and commitment to rebuild a breached system as rapidly as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will return the codes to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the critical components of your IT environment. Without the availability of complete information backups, this calls for a wide range of IT skills, professional project management, and the willingness to work non-stop until the task is over.
For two decades, Progent has offered professional IT services for companies in Chatsworth and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the ability to quickly understand necessary systems and consolidate the surviving pieces of your network environment after a ransomware attack and configure them into an operational system.
Progent's security team of experts utilizes top notch project management tools to coordinate the sophisticated restoration process. Progent understands the importance of working rapidly and together with a customerís management and IT staff to prioritize tasks and to put essential services back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A business sought out Progent after their network was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean state criminal gangs, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for disruption and is one of the most profitable instances of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk attack had shut down all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for the best, but in the end brought in Progent.
"I cannot tell you enough in regards to the expertise Progent gave us during the most critical period of (our) businesses existence. We would have paid the cyber criminals behind the attack if not for the confidence the Progent experts provided us. That you were able to get our e-mail and critical servers back into operation quicker than 1 week was amazing. Every single expert I got help from or communicated with at Progent was laser focused on getting us working again and was working all day and night to bail us out."
Progent worked hand in hand the client to quickly assess and assign priority to the key services that had to be restored in order to restart departmental operations:
To start, Progent followed Anti-virus penetration response best practices by isolating and cleaning up infected systems. Progent then started the steps of bringing back online Active Directory, the heart of enterprise systems built on Microsoft technology. Exchange email will not operate without Windows AD, and the client's financials and MRP applications used Microsoft SQL Server, which needs Active Directory for security authorization to the data.
- Active Directory
Within two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated rebuilding and storage recovery on essential applications. All Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers and laptops to recover email data. A not too old offline backup of the customerís accounting software made it possible to restore these essential programs back available to users. Although significant work needed to be completed to recover fully from the Ryuk event, the most important services were restored quickly:
"For the most part, the production line operation showed little impact and we produced all customer deliverables."
Over the following few weeks critical milestones in the restoration process were completed in tight cooperation between Progent engineers and the customer:
- Internal web applications were restored without losing any information.
- The MailStore Server exceeding 4 million archived emails was brought online and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
- A new Palo Alto Networks 850 firewall was brought online.
- Most of the desktops and laptops were fully operational.
"A huge amount of what occurred in the early hours is nearly entirely a fog for me, but we will not forget the care each and every one of you put in to give us our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This time was a life saver."
A possible business-killing catastrophe was avoided by hard-working experts, a broad range of subject matter expertise, and tight collaboration. Although in hindsight the ransomware penetration described here would have been blocked with current security solutions and ISO/IEC 27001 best practices, team education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), thank you for allowing me to get rested after we made it past the initial push. All of you did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Chatsworth a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize modern AI technology to detect new variants of crypto-ransomware that can get past legacy signature-based security solutions.
For 24x7 Chatsworth Crypto Removal Help, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to address the complete malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates your backup processes and enables fast recovery of vital files, apps and virtual machines that have become unavailable or damaged as a result of component breakdowns, software glitches, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver world-class support to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver web-based management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, optimize and debug their connectivity appliances such as switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so any looming issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre making enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.