Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a modern cyberplague that represents an existential threat for businesses unprepared for an attack. Different iterations of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause havoc. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus daily as yet unnamed newcomers, not only encrypt online data files but also infect most configured system backup. Data synchronized to cloud environments can also be encrypted. In a vulnerable system, it can render any restore operations useless and effectively sets the entire system back to zero.
Getting back on-line applications and data after a crypto-ransomware event becomes a sprint against the clock as the victim struggles to stop lateral movement and cleanup the virus and to resume business-critical activity. Since crypto-ransomware needs time to move laterally, assaults are usually sprung on weekends and holidays, when attacks are likely to take more time to notice. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.
Progent provides an assortment of services for protecting organizations from ransomware events. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with AI technology to intelligently identify and quarantine new cyber threats. Progent also offers the assistance of veteran ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom in cryptocurrency does not ensure that merciless criminals will respond with the needed codes to decrypt all your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the key parts of your Information Technology environment. Absent access to complete information backups, this calls for a wide range of skills, well-coordinated team management, and the willingness to work continuously until the job is over.
For two decades, Progent has made available certified expert IT services for companies in Stamford and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience affords Progent the ability to efficiently identify critical systems and organize the surviving parts of your Information Technology system following a ransomware penetration and assemble them into a functioning network.
Progent's security team of experts utilizes best of breed project management systems to coordinate the complicated restoration process. Progent knows the importance of working rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to put essential services back online as fast as humanly possible.
Client Story: A Successful Ransomware Attack Restoration
A client hired Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored hackers, possibly adopting technology exposed from Americaís National Security Agency. Ryuk seeks specific organizations with little tolerance for disruption and is one of the most lucrative iterations of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area and has around 500 employees. The Ryuk attack had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (exceeding $200,000) and hoping for good luck, but in the end utilized Progent.
"I cannot say enough in regards to the care Progent provided us during the most fearful period of (our) companyís life. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent group afforded us. That you could get our messaging and production applications back into operation faster than one week was beyond my wildest dreams. Each person I got help from or e-mailed at Progent was totally committed on getting our system up and was working non-stop to bail us out."
Progent worked hand in hand the client to rapidly get our arms around and prioritize the mission critical areas that had to be recovered in order to continue business functions:
To start, Progent adhered to ransomware event response best practices by halting the spread and performing virus removal steps. Progent then began the task of bringing back online Windows Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the businessesí MRP software utilized Microsoft SQL Server, which depends on Windows AD for security authorization to the database.
- Windows Active Directory
- Electronic Mail
Within 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated rebuilding and hard drive recovery on the most important servers. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on user workstations in order to recover mail data. A not too old off-line backup of the customerís accounting software made them able to recover these required programs back online. Although significant work needed to be completed to recover completely from the Ryuk damage, the most important services were restored quickly:
"For the most part, the manufacturing operation never missed a beat and we delivered all customer sales."
Throughout the next few weeks important milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Server with over four million historical emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully restored.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the user workstations were back into operation.
"So much of what occurred in the initial days is nearly entirely a blur for me, but we will not forget the urgency each of your team put in to give us our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This event was no exception but maybe more Herculean."
A probable business extinction catastrophe was avoided due to results-oriented experts, a wide range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here would have been disabled with up-to-date cyber security technology and security best practices, staff education, and appropriate incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thank you for allowing me to get some sleep after we got through the initial push. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Stamford a portfolio of online monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services utilize next-generation machine learning technology to uncover new variants of ransomware that are able to evade legacy signature-based anti-virus solutions.
For 24x7 Stamford CryptoLocker Removal Consultants, call Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-matching AV tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the entire malware attack progression including blocking, identification, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that addresses your company's specific requirements and that helps you demonstrate compliance with government and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with leading backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your backup processes and allow non-disruptive backup and rapid restoration of important files/folders, applications, system images, and virtual machines. ProSight DPS helps your business recover from data loss caused by hardware failures, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to deliver centralized management and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further layer of inspection for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, monitor, reconfigure and debug their networking hardware like switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating devices that need important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT personnel and your assigned Progent consultant so any potential problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to an alternate hosting environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching AV products. Progent ASM services protect local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.
- Progent's Outsourced/Shared Help Desk: Call Center Managed Services
Progent's Call Desk services allow your information technology group to outsource Support Desk services to Progent or split activity for Help Desk services seamlessly between your in-house network support team and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth supplement to your corporate IT support resources. End user interaction with the Service Desk, provision of technical assistance, escalation, ticket creation and updates, efficiency metrics, and maintenance of the service database are consistent whether issues are resolved by your corporate support resources, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Center services.
- Patch Management: Patch Management Services
Progent's support services for software and firmware patch management provide organizations of any size a flexible and cost-effective solution for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving information network. In addition to maximizing the protection and reliability of your IT environment, Progent's patch management services permit your IT staff to concentrate on more strategic initiatives and activities that derive the highest business value from your information network. Read more about Progent's software/firmware update management services.
- ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity verification on iOS, Android, and other out-of-band devices. Using 2FA, when you log into a secured application and enter your password you are asked to confirm your identity on a unit that only you have and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized for this second means of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. For details about Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.