Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause havoc. The latest variants of crypto-ransomware such as Ryuk and Hermes, along with more unnamed malware, not only do encryption of on-line files but also infect most configured system protection. Information synched to cloud environments can also be corrupted. In a vulnerable data protection solution, this can render any restore operations useless and basically knocks the datacenter back to zero.
Recovering programs and information following a crypto-ransomware outage becomes a race against time as the targeted organization fights to contain the damage and remove the ransomware and to restore business-critical activity. Because ransomware needs time to replicate, attacks are frequently sprung during nights and weekends, when penetrations are likely to take longer to identify. This multiplies the difficulty of promptly mobilizing and organizing a knowledgeable mitigation team.
Progent offers a range of support services for protecting businesses from crypto-ransomware attacks. Among these are team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with machine learning capabilities to intelligently identify and quarantine new cyber attacks. Progent in addition can provide the services of expert crypto-ransomware recovery consultants with the talent and commitment to re-deploy a compromised environment as quickly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware penetration, sending the ransom in cryptocurrency does not ensure that cyber criminals will provide the codes to decipher any of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the essential parts of your IT environment. Without the availability of complete system backups, this calls for a wide complement of skill sets, well-coordinated project management, and the willingness to work 24x7 until the job is done.
For twenty years, Progent has offered professional IT services for businesses in Fort Myers and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of experience affords Progent the ability to rapidly identify necessary systems and integrate the surviving components of your Information Technology environment after a ransomware attack and rebuild them into an operational system.
Progent's recovery group utilizes top notch project management systems to coordinate the sophisticated recovery process. Progent understands the importance of acting rapidly and in unison with a customerís management and IT team members to prioritize tasks and to put the most important services back on-line as soon as humanly possible.
Client Story: A Successful Ransomware Penetration Recovery
A client engaged Progent after their organization was crashed by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored criminal gangs, possibly using techniques leaked from Americaís NSA organization. Ryuk goes after specific companies with little room for operational disruption and is among the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with about 500 employees. The Ryuk event had brought down all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (exceeding $200K) and hoping for the best, but ultimately utilized Progent.
"I canít thank you enough in regards to the help Progent provided us throughout the most stressful time of (our) businesses life. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent experts gave us. The fact that you could get our messaging and production applications back into operation in less than a week was beyond my wildest dreams. Every single consultant I talked with or communicated with at Progent was urgently focused on getting us back online and was working 24 by 7 to bail us out."
Progent worked with the client to quickly assess and assign priority to the most important elements that needed to be recovered in order to continue business functions:
To get going, Progent followed Anti-virus event mitigation best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the work of recovering Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange email will not work without AD, and the businessesí financials and MRP software used Microsoft SQL, which needs Active Directory for authentication to the information.
- Microsoft Active Directory
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery of mission critical applications. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Data Files) on staff workstations and laptops to recover mail messages. A not too old off-line backup of the client's accounting/ERP software made it possible to return these required applications back servicing users. Although major work still had to be done to recover completely from the Ryuk damage, core systems were returned to operations quickly:
"For the most part, the manufacturing operation never missed a beat and we made all customer deliverables."
Throughout the following couple of weeks critical milestones in the recovery process were achieved in tight collaboration between Progent consultants and the customer:
- In-house web sites were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were completely restored.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the user desktops were functioning as before the incident.
"A lot of what occurred during the initial response is mostly a blur for me, but my team will not soon forget the countless hours each of the team put in to help get our company back. I have utilized Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This situation was the most impressive ever."
A likely business extinction catastrophe was dodged through the efforts of dedicated professionals, a wide array of subject matter expertise, and tight collaboration. Although in post mortem the ransomware penetration described here should have been shut down with modern security technology solutions and NIST Cybersecurity Framework best practices, team training, and appropriate incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for letting me get some sleep after we made it past the initial push. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Fort Myers a range of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services incorporate modern AI capability to uncover zero-day strains of ransomware that are able to get past legacy signature-based anti-virus products.
For 24-Hour Fort Myers Ransomware Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to address the complete threat lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates your backup processes and enables rapid restoration of critical files, applications and virtual machines that have become unavailable or damaged due to component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can provide advanced support to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to recover your critical information. Learn more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security vendors to deliver centralized management and world-class security for your email traffic. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of analysis for inbound email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, track, reconfigure and troubleshoot their connectivity appliances like switches, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that need critical updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT personnel and your Progent consultant so that any looming problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.