Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyberplague that represents an enterprise-level danger for businesses unprepared for an attack. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict havoc. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as daily unnamed viruses, not only do encryption of online critical data but also infect all available system backups. Information synched to cloud environments can also be ransomed. In a vulnerable environment, this can make any recovery impossible and basically knocks the network back to square one.
Recovering services and data after a ransomware outage becomes a sprint against time as the targeted business struggles to contain and cleanup the ransomware and to resume business-critical operations. Because crypto-ransomware requires time to replicate, penetrations are usually sprung on weekends and holidays, when successful penetrations may take more time to detect. This compounds the difficulty of promptly mobilizing and coordinating a qualified response team.
Progent has a variety of solutions for securing enterprises from ransomware attacks. Among these are team member education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with artificial intelligence technology to intelligently discover and disable zero-day cyber threats. Progent also offers the assistance of veteran ransomware recovery consultants with the track record and perseverance to restore a breached system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware event, paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the needed codes to decipher all your information. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the mission-critical elements of your Information Technology environment. Without the availability of full data backups, this requires a wide range of skills, top notch team management, and the willingness to work continuously until the job is completed.
For decades, Progent has made available expert IT services for businesses in Fort Myers and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the ability to quickly understand critical systems and consolidate the surviving parts of your network environment after a ransomware attack and assemble them into an operational system.
Progent's ransomware group uses top notch project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of working swiftly and in unison with a client's management and IT team members to assign priority to tasks and to put essential applications back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Incident Response
A client escalated to Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, suspected of using approaches exposed from Americaís National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is among the most profitable examples of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom (exceeding $200K) and hoping for the best, but ultimately engaged Progent.
"I cannot speak enough in regards to the care Progent gave us during the most critical time of (our) companyís existence. We would have paid the cybercriminals except for the confidence the Progent team gave us. That you could get our e-mail and important servers back online in less than seven days was beyond my wildest dreams. Each expert I spoke to or texted at Progent was hell bent on getting our system up and was working breakneck pace on our behalf."
Progent worked with the client to rapidly get our arms around and assign priority to the essential systems that had to be restored in order to continue business functions:
To start, Progent adhered to AV/Malware Processes event mitigation best practices by stopping the spread and performing virus removal steps. Progent then began the task of bringing back online Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the businessesí MRP applications leveraged Microsoft SQL, which depends on Windows AD for security authorization to the information.
- Microsoft Active Directory
- Exchange Server
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery on essential applications. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Data Files) on staff PCs to recover mail data. A recent offline backup of the businesses financials/ERP systems made it possible to recover these required services back on-line. Although a lot of work remained to recover completely from the Ryuk virus, critical systems were returned to operations rapidly:
"For the most part, the production line operation showed little impact and we delivered all customer shipments."
Throughout the next month important milestones in the recovery project were completed in close cooperation between Progent consultants and the customer:
- Internal web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully operational.
- A new Palo Alto 850 security appliance was brought online.
- Most of the desktops and laptops were fully operational.
"A lot of what was accomplished that first week is mostly a blur for me, but we will not soon forget the countless hours each of your team accomplished to give us our company back. Iíve trusted Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered. This time was a testament to your capabilities."
A probable business extinction catastrophe was averted with hard-working experts, a wide spectrum of IT skills, and close teamwork. Although in post mortem the crypto-ransomware attack detailed here could have been shut down with advanced cyber security solutions and best practices, staff education, and properly executed incident response procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get some sleep after we made it over the first week. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is on me!"
To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Fort Myers a range of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect new variants of crypto-ransomware that are able to evade legacy signature-based anti-virus solutions.
For 24-7 Fort Myers CryptoLocker Removal Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV tools. ProSight ASM safeguards local and cloud resources and provides a single platform to address the complete threat progression including filtering, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP environment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and medium-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of critical data, applications and virtual machines that have become lost or damaged due to component breakdowns, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery consultants can deliver advanced support to set up ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can help you to recover your critical information. Read more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security companies to provide centralized control and comprehensive security for your inbound and outbound email. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of inspection for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, monitor, enhance and debug their networking hardware such as routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating complex management activities, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, locating devices that need critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so all potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.