Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyber pandemic that poses an extinction-level danger for organizations vulnerable to an attack. Different iterations of ransomware such as CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause destruction. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with more as yet unnamed viruses, not only do encryption of on-line files but also infiltrate all available system backup. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, this can render any restoration useless and basically sets the entire system back to zero.
Retrieving services and information following a ransomware intrusion becomes a sprint against time as the targeted organization tries its best to stop the spread and remove the ransomware and to restore mission-critical operations. Because crypto-ransomware takes time to move laterally, assaults are often sprung during nights and weekends, when successful attacks tend to take longer to uncover. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.
Progent provides an assortment of services for securing businesses from ransomware attacks. These include user education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with AI capabilities to automatically identify and disable new threats. Progent also provides the services of veteran crypto-ransomware recovery engineers with the track record and commitment to restore a compromised network as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the keys to decipher all your data. Kaspersky determined that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Without access to essential data backups, this requires a wide range of skill sets, professional project management, and the willingness to work continuously until the task is over.
For twenty years, Progent has provided certified expert Information Technology services for companies in Chatsworth and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the ability to efficiently ascertain necessary systems and consolidate the surviving parts of your network environment after a ransomware penetration and assemble them into an operational network.
Progent's security team of experts uses powerful project management applications to coordinate the complicated restoration process. Progent appreciates the urgency of acting quickly and together with a client's management and IT staff to assign priority to tasks and to put critical applications back on-line as soon as possible.
Customer Story: A Successful Crypto-Ransomware Incident Recovery
A customer contacted Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state criminal gangs, possibly using algorithms exposed from the United States NSA organization. Ryuk seeks specific companies with little ability to sustain operational disruption and is one of the most profitable iterations of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has around 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and praying for the best, but ultimately reached out to Progent.
"I canít tell you enough about the expertise Progent provided us during the most stressful time of (our) companyís survival. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent team provided us. That you were able to get our messaging and essential applications back online in less than one week was incredible. Each person I worked with or e-mailed at Progent was amazingly focused on getting us working again and was working breakneck pace to bail us out."
Progent worked together with the client to rapidly assess and assign priority to the mission critical systems that needed to be restored to make it possible to continue company operations:
To start, Progent adhered to ransomware event mitigation industry best practices by isolating and clearing infected systems. Progent then started the steps of recovering Microsoft AD, the core of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the businessesí MRP applications leveraged Microsoft SQL, which requires Windows AD for authentication to the data.
- Active Directory
Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then helped perform reinstallations and storage recovery on essential applications. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Off-Line Data Files) on staff PCs and laptops in order to recover mail messages. A recent offline backup of the customerís accounting/ERP software made it possible to recover these required programs back on-line. Although a lot of work remained to recover totally from the Ryuk damage, the most important services were restored quickly:
"For the most part, the production operation showed little impact and we did not miss any customer deliverables."
Over the next couple of weeks critical milestones in the restoration process were accomplished through close cooperation between Progent engineers and the customer:
- In-house web sites were returned to operation with no loss of information.
- The MailStore Exchange Server containing more than 4 million archived messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100% recovered.
- A new Palo Alto 850 firewall was set up.
- Nearly all of the desktops and laptops were being used by staff.
"A huge amount of what went on during the initial response is mostly a haze for me, but my team will not forget the urgency each and every one of your team put in to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."
A possible enterprise-killing disaster was averted through the efforts of top-tier professionals, a broad spectrum of subject matter expertise, and close collaboration. Although in hindsight the ransomware virus attack detailed here should have been prevented with current cyber security technology solutions and security best practices, user training, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for letting me get rested after we made it past the most critical parts. All of you did an fabulous effort, and if anyone is around the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Chatsworth a variety of online monitoring and security assessment services designed to assist you to reduce your vulnerability to crypto-ransomware. These services utilize modern AI capability to uncover zero-day variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
For 24-Hour Chatsworth Crypto-Ransomware Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a single platform to address the entire malware attack lifecycle including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate action. Progent's consultants can also help you to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services provide small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of critical files, apps and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your critical data. Read more about ProSight DPS Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security companies to deliver web-based control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, reconfigure and debug their networking appliances such as routers and switches, firewalls, and load balancers plus servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are kept updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating tedious management processes, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that require important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT staff and your assigned Progent engineering consultant so that all looming issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.