Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an existential danger for businesses unprepared for an attack. Different iterations of ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause damage. The latest versions of ransomware like Ryuk and Hermes, plus daily unnamed viruses, not only do encryption of on-line data files but also infect any available system protection. Data synched to cloud environments can also be encrypted. In a poorly designed system, this can make any restoration hopeless and effectively knocks the entire system back to square one.
Restoring services and information following a ransomware event becomes a race against time as the targeted organization fights to contain the damage and cleanup the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to replicate, attacks are frequently sprung on weekends and holidays, when attacks tend to take more time to detect. This multiplies the difficulty of rapidly mobilizing and organizing a capable response team.
Progent provides a variety of support services for protecting businesses from ransomware penetrations. Among these are staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security solutions with machine learning capabilities to automatically discover and quarantine day-zero threats. Progent also provides the services of veteran crypto-ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed codes to decipher any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the critical parts of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide range of skills, well-coordinated project management, and the ability to work continuously until the task is complete.
For twenty years, Progent has provided professional IT services for businesses in Alpharetta and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the ability to quickly ascertain necessary systems and re-organize the surviving pieces of your Information Technology system following a ransomware event and assemble them into a functioning system.
Progent's recovery group uses top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and together with a client's management and Information Technology staff to assign priority to tasks and to put key applications back on line as soon as possible.
Client Story: A Successful Ransomware Penetration Response
A small business hired Progent after their network system was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, possibly using approaches leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for operational disruption and is among the most profitable incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but ultimately made the decision to use Progent.
"I canít speak enough about the support Progent provided us during the most fearful period of (our) businesses survival. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent experts gave us. The fact that you could get our messaging and critical servers back into operation quicker than seven days was something I thought impossible. Every single consultant I worked with or communicated with at Progent was hell bent on getting our company operational and was working non-stop to bail us out."
Progent worked with the client to quickly determine and assign priority to the most important elements that needed to be recovered to make it possible to continue business functions:
To begin, Progent adhered to Anti-virus event response industry best practices by halting lateral movement and disinfecting systems. Progent then initiated the steps of rebuilding Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the customerís accounting and MRP system leveraged SQL Server, which needs Active Directory services for security authorization to the data.
- Active Directory
- Microsoft Exchange Server
Within two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of the most important systems. All Exchange schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Offline Data Files) on various workstations and laptops to recover mail information. A not too old off-line backup of the customerís financials/MRP systems made it possible to restore these vital services back online. Although major work needed to be completed to recover totally from the Ryuk event, essential systems were restored quickly:
"For the most part, the production operation was never shut down and we produced all customer shipments."
Over the following couple of weeks key milestones in the restoration process were completed in tight cooperation between Progent consultants and the client:
- In-house web applications were restored without losing any data.
- The MailStore Server exceeding four million historical emails was brought online and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100% operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- 90% of the desktops and laptops were functioning as before the incident.
"So much of what occurred that first week is mostly a haze for me, but our team will not forget the urgency all of the team accomplished to give us our business back. I have utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This time was a life saver."
A possible business-killing catastrophe was avoided due to dedicated professionals, a broad range of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus penetration described here would have been identified and stopped with modern security solutions and ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for data protection and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus defense, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we got over the initial fire. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Alpharetta a portfolio of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to detect new strains of ransomware that are able to get past traditional signature-based anti-virus solutions.
For 24/7/365 Alpharetta Crypto Cleanup Consulting, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with legal and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost and fully managed service for secure backup/disaster recovery. For a low monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid restoration of vital data, apps and virtual machines that have become unavailable or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your critical data. Read more about ProSight DPS Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to deliver centralized control and world-class protection for all your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of inspection for inbound email. For outgoing email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, track, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating devices that need critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your network operating efficiently by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT management personnel and your Progent engineering consultant so all looming issues can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate up to half of time wasted looking for vital information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.