Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for businesses unprepared for an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. The latest variants of crypto-ransomware like Ryuk and Hermes, plus daily unnamed viruses, not only do encryption of on-line critical data but also infiltrate most configured system backups. Data replicated to cloud environments can also be corrupted. In a poorly designed data protection solution, this can render automated restoration impossible and effectively sets the network back to square one.
Restoring applications and data after a ransomware event becomes a race against time as the targeted organization struggles to stop lateral movement and cleanup the virus and to restore mission-critical activity. Because ransomware needs time to move laterally, penetrations are frequently sprung on weekends, when penetrations tend to take more time to detect. This compounds the difficulty of quickly mobilizing and coordinating a capable mitigation team.
Progent has a range of solutions for securing businesses from crypto-ransomware attacks. These include team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with AI capabilities to automatically identify and suppress day-zero threats. Progent also provides the services of experienced ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as soon as possible.
Progent's Ransomware Recovery Services
Following a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the codes to decrypt any of your data. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the critical parts of your Information Technology environment. Absent the availability of full information backups, this calls for a broad complement of IT skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is completed.
For decades, Progent has provided professional IT services for companies in Minneapolis and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience provides Progent the ability to knowledgably ascertain critical systems and re-organize the remaining parts of your network system after a ransomware attack and assemble them into a functioning network.
Progent's recovery team uses state-of-the-art project management tools to coordinate the complicated recovery process. Progent understands the urgency of working swiftly and in concert with a customerís management and Information Technology resources to prioritize tasks and to put key services back on line as soon as possible.
Client Story: A Successful Ransomware Attack Response
A business contacted Progent after their network system was taken over by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored hackers, possibly using algorithms leaked from the United States National Security Agency. Ryuk attacks specific businesses with little room for disruption and is among the most lucrative iterations of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has around 500 workers. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end brought in Progent.
"I canít speak enough in regards to the expertise Progent provided us during the most fearful time of (our) businesses existence. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent experts gave us. That you could get our e-mail and important applications back on-line faster than one week was amazing. Every single expert I interacted with or messaged at Progent was laser focused on getting us restored and was working at all hours to bail us out."
Progent worked with the customer to rapidly determine and prioritize the mission critical elements that needed to be recovered in order to continue business functions:
To start, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the process of rebuilding Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the client's MRP applications utilized SQL Server, which requires Active Directory services for authentication to the data.
- Microsoft Active Directory
- Electronic Messaging
Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then performed reinstallations and storage recovery on needed applications. All Microsoft Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Offline Folder Files) on user PCs in order to recover mail data. A not too old offline backup of the client's accounting systems made it possible to restore these required programs back on-line. Although major work was left to recover completely from the Ryuk attack, critical services were restored quickly:
"For the most part, the production operation was never shut down and we delivered all customer sales."
Over the next few weeks important milestones in the restoration project were completed through tight collaboration between Progent consultants and the client:
- Self-hosted web sites were returned to operation without losing any data.
- The MailStore Server with over 4 million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory modules were fully operational.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Nearly all of the desktops and laptops were functioning as before the incident.
"Much of what happened in the early hours is nearly entirely a blur for me, but my management will not forget the urgency each and every one of you accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was the most impressive ever."
A possible enterprise-killing catastrophe was averted due to top-tier experts, a wide range of knowledge, and close collaboration. Although in post mortem the ransomware virus penetration described here could have been identified and prevented with current security technology solutions and ISO/IEC 27001 best practices, user training, and well designed security procedures for backup and proper patching controls, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for allowing me to get rested after we got over the first week. All of you did an impressive job, and if any of your team is visiting the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Minneapolis a variety of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize next-generation AI capability to uncover zero-day strains of ransomware that can evade legacy signature-based security solutions.
For 24-Hour Minneapolis Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the entire threat lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization experts can assist you to plan and implement a ProSight ESP environment that meets your company's specific needs and that helps you prove compliance with legal and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable and fully managed solution for secure backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup activities and allows rapid restoration of critical data, applications and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight Data Protection Services to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to provide web-based management and world-class protection for all your inbound and outbound email. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, reconfigure and debug their networking hardware such as switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, finding devices that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so all potential issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.