Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that presents an extinction-level threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and continue to inflict harm. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus additional unnamed malware, not only encrypt online files but also infect all available system restores and backups. Information synchronized to cloud environments can also be ransomed. In a poorly designed system, this can make any restore operations impossible and basically knocks the entire system back to zero.
Restoring services and information following a ransomware attack becomes a race against the clock as the victim fights to contain and clear the virus and to resume business-critical activity. Because ransomware takes time to replicate, assaults are frequently launched during nights and weekends, when successful attacks typically take more time to notice. This multiplies the difficulty of promptly marshalling and orchestrating a capable mitigation team.
Progent makes available a variety of support services for securing enterprises from ransomware events. Among these are staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with machine learning technology to intelligently identify and quarantine new cyber attacks. Progent in addition provides the services of experienced ransomware recovery consultants with the skills and perseverance to re-deploy a compromised network as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the keys to decrypt all your data. Kaspersky determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the key parts of your IT environment. Absent access to essential data backups, this requires a wide range of skill sets, top notch project management, and the ability to work continuously until the task is completed.
For twenty years, Progent has provided expert IT services for businesses in Lawrence and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably ascertain important systems and integrate the surviving parts of your Information Technology system following a crypto-ransomware attack and configure them into a functioning system.
Progent's ransomware group uses powerful project management applications to orchestrate the complex restoration process. Progent understands the importance of acting quickly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to get essential applications back on line as fast as possible.
Client Case Study: A Successful Ransomware Virus Restoration
A client contacted Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state criminal gangs, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk goes after specific companies with limited ability to sustain disruption and is among the most profitable incarnations of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with about 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I cannot tell you enough in regards to the support Progent gave us during the most critical period of (our) companyís survival. We had little choice but to pay the Hackers except for the confidence the Progent team provided us. That you were able to get our e-mail system and critical servers back faster than seven days was beyond my wildest dreams. Every single consultant I got help from or messaged at Progent was laser focused on getting our system up and was working day and night to bail us out."
Progent worked hand in hand the client to rapidly assess and assign priority to the critical services that had to be restored to make it possible to resume company operations:
To start, Progent followed AV/Malware Processes penetration mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the process of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí financials and MRP applications used SQL Server, which requires Active Directory services for security authorization to the data.
- Microsoft Active Directory
- Exchange Server
- MRP System
Within 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and storage recovery of essential applications. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Offline Data Files) on various desktop computers to recover mail messages. A not too old off-line backup of the client's accounting/ERP software made it possible to return these vital applications back online for users. Although significant work remained to recover fully from the Ryuk damage, the most important services were returned to operations rapidly:
"For the most part, the production operation ran fairly normal throughout and we delivered all customer orders."
During the following few weeks important milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:
- In-house web sites were brought back up with no loss of information.
- The MailStore Exchange Server with over 4 million historical messages was brought online and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control modules were 100% functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- 90% of the user desktops and notebooks were fully operational.
"So much of what went on that first week is nearly entirely a blur for me, but I will not forget the countless hours all of you accomplished to give us our company back. Iíve entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A likely company-ending disaster was averted through the efforts of dedicated professionals, a broad array of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here would have been prevented with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for making it so I could get rested after we got over the initial push. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Lawrence a variety of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation machine learning technology to detect zero-day strains of ransomware that are able to escape detection by legacy signature-based security solutions.
For Lawrence 24x7x365 Ransomware Remediation Support Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection services offer economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies incorporated within one agent managed from a single console. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also assist your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services provide small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates your backup activities and enables rapid recovery of vital files, apps and VMs that have become unavailable or corrupted due to component failures, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can deliver world-class support to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security vendors to deliver centralized management and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outbound email, the onsite gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, track, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating complex management activities, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, locating appliances that require critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to help keep your network running at peak levels by checking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management staff and your Progent engineering consultant so that any looming issues can be resolved before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.