Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that poses an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict havoc. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with daily as yet unnamed newcomers, not only do encryption of online files but also infiltrate most configured system backup. Data synchronized to cloud environments can also be corrupted. In a poorly designed environment, this can make any recovery useless and effectively sets the datacenter back to square one.
Retrieving services and data following a ransomware intrusion becomes a race against the clock as the victim fights to stop the spread and cleanup the ransomware and to restore enterprise-critical operations. Since crypto-ransomware takes time to replicate, attacks are frequently sprung during nights and weekends, when successful penetrations typically take longer to uncover. This compounds the difficulty of rapidly mobilizing and coordinating a qualified mitigation team.
Progent has a variety of support services for protecting enterprises from crypto-ransomware attacks. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security gateways with AI capabilities to automatically detect and extinguish zero-day cyber attacks. Progent also offers the assistance of expert ransomware recovery engineers with the track record and commitment to re-deploy a breached system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed codes to decipher all your information. Kaspersky determined that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the mission-critical parts of your Information Technology environment. Without the availability of full data backups, this calls for a wide range of skills, top notch team management, and the willingness to work 24x7 until the task is over.
For twenty years, Progent has provided certified expert Information Technology services for businesses in Glendale and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience affords Progent the capability to rapidly identify critical systems and integrate the remaining pieces of your network environment after a crypto-ransomware event and rebuild them into a functioning system.
Progent's ransomware group uses state-of-the-art project management systems to orchestrate the complex recovery process. Progent knows the importance of acting quickly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to put key services back on line as fast as possible.
Client Story: A Successful Ransomware Intrusion Response
A customer escalated to Progent after their organization was attacked by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state cybercriminals, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little room for disruption and is one of the most lucrative versions of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago with about 500 employees. The Ryuk attack had brought down all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.
"I canít tell you enough about the care Progent gave us during the most fearful period of (our) companyís existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. The fact that you could get our messaging and important applications back quicker than one week was something I thought impossible. Each expert I interacted with or texted at Progent was hell bent on getting my company operational and was working non-stop to bail us out."
Progent worked hand in hand the customer to quickly identify and prioritize the mission critical systems that had to be addressed to make it possible to continue departmental operations:
To start, Progent adhered to ransomware event mitigation industry best practices by isolating and performing virus removal steps. Progent then began the work of recovering Microsoft AD, the heart of enterprise environments built on Microsoft technology. Exchange messaging will not function without Windows AD, and the businessesí accounting and MRP applications leveraged SQL Server, which requires Windows AD for access to the data.
- Active Directory
- Exchange Server
- MRP System
Within 48 hours, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then performed setup and storage recovery on critical applications. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Data Files) on staff workstations and laptops to recover email data. A not too old offline backup of the customerís accounting/ERP software made it possible to return these vital applications back online for users. Although major work still had to be done to recover completely from the Ryuk event, essential services were recovered rapidly:
"For the most part, the production line operation did not miss a beat and we did not miss any customer shipments."
Throughout the following few weeks key milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were 100 percent restored.
- A new Palo Alto Networks 850 firewall was brought online.
- Most of the desktop computers were fully operational.
"A huge amount of what happened that first week is mostly a fog for me, but I will not forget the care each and every one of the team accomplished to give us our business back. Iíve trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."
A potential business extinction catastrophe was avoided by hard-working professionals, a broad array of knowledge, and tight teamwork. Although in hindsight the crypto-ransomware virus penetration detailed here could have been identified and blocked with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for information backup and proper patching controls, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for letting me get rested after we got over the initial push. All of you did an amazing effort, and if anyone is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Glendale a range of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to detect zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.
For 24-Hour Glendale Ransomware Repair Consulting, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily escape legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your organization's unique requirements and that helps you demonstrate compliance with government and industry data security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of critical data, apps and VMs that have become unavailable or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can deliver world-class support to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to provide web-based management and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of inspection for incoming email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding devices that need important software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your IT system operating efficiently by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT personnel and your assigned Progent consultant so any potential issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Learn more about ProSight IT Asset Management service.