Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses poorly prepared for an assault. Different iterations of crypto-ransomware such as CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause destruction. More recent strains of ransomware like Ryuk and Hermes, along with frequent as yet unnamed newcomers, not only encrypt online data files but also infiltrate most accessible system backup. Files replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, it can make automatic restoration useless and effectively sets the entire system back to square one.
Restoring programs and data following a crypto-ransomware event becomes a sprint against time as the targeted business tries its best to contain the damage and cleanup the ransomware and to resume mission-critical activity. Because ransomware requires time to move laterally, penetrations are often launched during nights and weekends, when penetrations may take longer to notice. This multiplies the difficulty of rapidly assembling and orchestrating a capable response team.
Progent makes available an assortment of support services for protecting organizations from ransomware penetrations. These include team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with AI technology to rapidly detect and disable zero-day cyber threats. Progent also provides the services of seasoned crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the codes to unencrypt any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the mission-critical components of your Information Technology environment. Absent access to complete information backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the job is complete.
For twenty years, Progent has provided expert IT services for companies in Eugene and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise affords Progent the ability to rapidly determine critical systems and organize the surviving components of your Information Technology environment after a crypto-ransomware attack and configure them into a functioning network.
Progent's security group utilizes best of breed project management tools to orchestrate the complex recovery process. Progent knows the urgency of working quickly and together with a customerís management and Information Technology staff to assign priority to tasks and to get critical services back on-line as soon as possible.
Client Story: A Successful Ransomware Penetration Recovery
A customer contacted Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using approaches leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little or no tolerance for disruption and is one of the most profitable iterations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom (exceeding $200K) and praying for good luck, but ultimately made the decision to use Progent.
"I canít speak enough in regards to the care Progent provided us during the most stressful time of (our) companyís existence. We would have paid the criminal gangs if not for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and production servers back on-line sooner than a week was beyond my wildest dreams. Each expert I spoke to or texted at Progent was amazingly focused on getting us working again and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly assess and assign priority to the critical elements that had to be restored to make it possible to restart business functions:
To begin, Progent followed Anti-virus penetration response industry best practices by stopping the spread and clearing infected systems. Progent then began the task of bringing back online Microsoft AD, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customerís MRP applications utilized Microsoft SQL Server, which requires Active Directory for authentication to the information.
- Microsoft Active Directory
- Exchange Server
- MRP System
In less than 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery of key applications. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on various desktop computers to recover mail data. A not too old off-line backup of the client's financials/MRP software made it possible to recover these essential services back online. Although significant work still had to be done to recover completely from the Ryuk event, essential services were recovered rapidly:
"For the most part, the assembly line operation showed little impact and we made all customer orders."
Throughout the following month key milestones in the restoration process were achieved in close cooperation between Progent team members and the client:
- Internal web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the user desktops and notebooks were back into operation.
"A huge amount of what went on in the early hours is mostly a haze for me, but we will not forget the commitment each and every one of you put in to give us our company back. I have been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was a Herculean accomplishment."
A likely company-ending catastrophe was evaded by top-tier experts, a wide array of IT skills, and close teamwork. Although in post mortem the crypto-ransomware penetration detailed here would have been identified and prevented with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus defense, removal, and file recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get some sleep after we made it past the most critical parts. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Eugene a range of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to detect new strains of ransomware that can evade legacy signature-based security solutions.
For 24/7/365 Eugene Ransomware Repair Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the complete threat progression including protection, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent's consultants can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates and monitors your backup activities and enables fast restoration of critical files, apps and virtual machines that have become lost or damaged due to hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can deliver advanced expertise to configure ProSight DPS to to comply with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to recover your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top data security companies to deliver web-based control and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, monitor, reconfigure and debug their networking hardware like routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and generates notices when issues are discovered. By automating tedious network management activities, WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating appliances that require critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your network documentation, you can save as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about ProSight IT Asset Management service.