Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as more as yet unnamed newcomers, not only do encryption of online critical data but also infect many configured system backup. Files synched to cloud environments can also be corrupted. In a vulnerable system, it can make automated restore operations impossible and effectively sets the network back to square one.
Getting back online programs and information after a ransomware attack becomes a race against the clock as the victim fights to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Since ransomware takes time to replicate, attacks are frequently launched on weekends and holidays, when successful attacks are likely to take longer to recognize. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable response team.
Progent makes available an assortment of services for securing businesses from ransomware attacks. These include team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security appliances with AI technology to automatically identify and disable new cyber threats. Progent also can provide the assistance of expert crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a breached system as quickly as possible.
Progent's Ransomware Recovery Help
Soon after a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the vital components of your Information Technology environment. Without access to essential information backups, this requires a broad complement of skill sets, well-coordinated project management, and the willingness to work 24x7 until the recovery project is done.
For two decades, Progent has offered certified expert Information Technology services for businesses in Waltham and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience gives Progent the capability to efficiently understand important systems and organize the remaining parts of your network system after a crypto-ransomware penetration and configure them into an operational network.
Progent's recovery group utilizes top notch project management tools to coordinate the complicated recovery process. Progent appreciates the importance of acting swiftly and in unison with a customerís management and IT staff to prioritize tasks and to put critical applications back on line as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business sought out Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, possibly using algorithms leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little room for disruption and is one of the most profitable instances of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (more than $200K) and hoping for the best, but in the end utilized Progent.
"I canít say enough about the expertise Progent gave us throughout the most stressful period of (our) companyís existence. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent group afforded us. That you were able to get our messaging and critical servers back faster than 1 week was incredible. Each expert I got help from or e-mailed at Progent was absolutely committed on getting our system up and was working at all hours on our behalf."
Progent worked together with the customer to rapidly identify and assign priority to the critical areas that had to be restored to make it possible to continue departmental operations:
To start, Progent adhered to ransomware incident mitigation best practices by stopping lateral movement and clearing infected systems. Progent then began the steps of restoring Microsoft AD, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's accounting and MRP software used Microsoft SQL Server, which needs Windows AD for security authorization to the information.
- Windows Active Directory
- Microsoft Exchange Email
In less than two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery on mission critical systems. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Off-Line Data Files) on user PCs and laptops in order to recover email data. A not too old offline backup of the customerís accounting/ERP software made them able to restore these essential programs back servicing users. Although major work remained to recover fully from the Ryuk damage, critical services were recovered quickly:
"For the most part, the production line operation showed little impact and we produced all customer orders."
Throughout the next month critical milestones in the recovery project were accomplished in tight cooperation between Progent engineers and the customer:
- In-house web applications were brought back up without losing any information.
- The MailStore Exchange Server exceeding four million archived emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely restored.
- A new Palo Alto 850 security appliance was installed and configured.
- Ninety percent of the desktops and laptops were operational.
"Much of what went on in the early hours is nearly entirely a fog for me, but my team will not forget the commitment all of the team put in to give us our company back. Iíve been working with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
A possible company-ending catastrophe was averted by hard-working experts, a wide spectrum of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here could have been blocked with advanced security technology solutions and NIST Cybersecurity Framework best practices, staff training, and well thought out incident response procedures for information backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for letting me get some sleep after we made it past the most critical parts. All of you did an incredible job, and if any of your team is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Waltham a portfolio of remote monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.
For Waltham 24x7x365 Crypto-Ransomware Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.
- ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and enable transparent backup and fast recovery of critical files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed backup services are most appropriate for your IT environment.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver web-based control and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, track, optimize and troubleshoot their networking appliances like routers, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating devices that need important software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so any looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time spent looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
- Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior analysis tools to defend endpoints and servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to automate the entire threat progression including filtering, identification, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.
- Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
Progent's Call Desk managed services enable your IT group to outsource Call Center services to Progent or divide responsibilities for support services transparently between your internal network support team and Progent's nationwide pool of certified IT service engineers and subject matter experts (SBEs). Progent's Shared Service Desk provides a transparent supplement to your core support team. User interaction with the Help Desk, delivery of support, issue escalation, trouble ticket creation and tracking, performance metrics, and management of the support database are cohesive whether incidents are taken care of by your in-house IT support group, by Progent, or both. Read more about Progent's outsourced/shared Help Desk services.
- Patch Management: Patch Management Services
Progent's managed services for patch management provide businesses of all sizes a versatile and affordable solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. Besides optimizing the protection and functionality of your computer network, Progent's patch management services allow your IT staff to concentrate on line-of-business initiatives and activities that derive maximum business value from your network. Learn more about Progent's patch management support services.
- ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using 2FA, when you log into a protected online account and enter your password you are asked to verify who you are on a device that only you have and that is accessed using a separate network channel. A broad range of out-of-band devices can be used as this second form of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You can designate several validation devices. To find out more about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services for access security.