Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that represents an enterprise-level danger for businesses of all sizes unprepared for an assault. Different versions of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still cause destruction. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more unnamed newcomers, not only encrypt on-line files but also infect most accessible system restores and backups. Information synchronized to the cloud can also be ransomed. In a poorly designed system, this can make automated restoration useless and effectively sets the network back to zero.
Restoring applications and data after a ransomware event becomes a sprint against time as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to resume mission-critical operations. Due to the fact that ransomware takes time to spread, assaults are often sprung at night, when attacks are likely to take more time to identify. This multiplies the difficulty of rapidly assembling and orchestrating a capable response team.
Progent offers an assortment of help services for protecting businesses from crypto-ransomware attacks. These include team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with AI capabilities to rapidly identify and quarantine zero-day cyber threats. Progent also offers the services of seasoned ransomware recovery consultants with the talent and perseverance to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the keys to decrypt all your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the key parts of your Information Technology environment. Absent access to essential system backups, this calls for a wide complement of skill sets, top notch team management, and the capability to work 24x7 until the task is complete.
For two decades, Progent has offered professional Information Technology services for companies in Irving and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the ability to quickly determine necessary systems and organize the remaining pieces of your network system following a ransomware event and configure them into a functioning network.
Progent's ransomware team of experts utilizes top notch project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of working swiftly and in concert with a client's management and IT staff to prioritize tasks and to get critical applications back on line as soon as possible.
Client Story: A Successful Ransomware Virus Response
A small business engaged Progent after their network was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean government sponsored hackers, suspected of adopting algorithms leaked from Americaís National Security Agency. Ryuk seeks specific businesses with limited room for disruption and is among the most lucrative iterations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the intrusion and were encrypted. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but in the end utilized Progent.
"I cannot thank you enough about the help Progent gave us throughout the most critical period of (our) companyís survival. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent group provided us. The fact that you were able to get our messaging and essential servers back online sooner than seven days was amazing. Every single person I worked with or texted at Progent was laser focused on getting us operational and was working 24 by 7 on our behalf."
Progent worked together with the customer to quickly understand and prioritize the essential systems that had to be restored to make it possible to continue company operations:
To get going, Progent followed Anti-virus incident response industry best practices by halting the spread and disinfecting systems. Progent then began the task of recovering Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's MRP system leveraged Microsoft SQL Server, which needs Active Directory for access to the data.
- Microsoft Active Directory
- Microsoft Exchange Server
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then completed setup and hard drive recovery of essential servers. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover mail data. A not too old offline backup of the client's accounting/ERP systems made it possible to recover these essential services back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk virus, critical services were recovered quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer deliverables."
Throughout the next few weeks key milestones in the recovery project were completed in tight collaboration between Progent engineers and the customer:
- Internal web sites were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent restored.
- A new Palo Alto Networks 850 firewall was brought on-line.
- 90% of the user desktops were functioning as before the incident.
"A lot of what transpired in the early hours is nearly entirely a haze for me, but my management will not forget the commitment each of your team put in to give us our company back. I have been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered. This event was a testament to your capabilities."
A potential enterprise-killing disaster was evaded due to dedicated professionals, a wide range of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware attack detailed here could have been identified and disabled with modern security technology solutions and recognized best practices, user and IT administrator education, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), Iím grateful for making it so I could get some sleep after we made it over the first week. Everyone did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is on me!"
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Irving a range of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation machine learning technology to uncover zero-day variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.
For 24x7 Irving Crypto Repair Consulting, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the entire malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services provide small and mid-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables rapid recovery of critical data, apps and virtual machines that have become unavailable or corrupted as a result of component breakdowns, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can deliver advanced support to set up ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical data. Find out more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to deliver centralized management and comprehensive protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of inspection for inbound email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, track, enhance and debug their networking hardware such as routers and switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are kept current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, locating devices that need important software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.