Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for organizations poorly prepared for an assault. Different iterations of ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to inflict damage. Recent strains of ransomware such as Ryuk and Hermes, as well as frequent unnamed malware, not only encrypt on-line critical data but also infiltrate any available system backup. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make any restoration hopeless and basically sets the datacenter back to zero.
Recovering applications and data after a ransomware attack becomes a race against time as the targeted business struggles to stop the spread and remove the ransomware and to restore business-critical activity. Because ransomware takes time to move laterally, attacks are usually sprung during nights and weekends, when attacks in many cases take longer to notice. This compounds the difficulty of promptly mobilizing and coordinating a capable mitigation team.
Progent has an assortment of support services for securing enterprises from ransomware events. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with artificial intelligence capabilities to rapidly discover and suppress new cyber threats. Progent in addition provides the services of expert ransomware recovery professionals with the track record and perseverance to restore a compromised network as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed codes to decipher any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the critical components of your IT environment. Absent the availability of full data backups, this requires a wide complement of skills, well-coordinated team management, and the ability to work non-stop until the task is over.
For twenty years, Progent has made available professional Information Technology services for businesses in Manchester and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise affords Progent the capability to quickly understand critical systems and re-organize the surviving components of your Information Technology system after a crypto-ransomware event and configure them into an operational network.
Progent's security team deploys best of breed project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of working quickly and in unison with a client's management and IT staff to assign priority to tasks and to put the most important applications back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Attack Recovery
A business engaged Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean government sponsored hackers, possibly using approaches exposed from Americaís NSA organization. Ryuk targets specific companies with little or no room for operational disruption and is one of the most profitable instances of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area with around 500 employees. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than $200K) and praying for good luck, but in the end brought in Progent.
"I canít say enough about the help Progent gave us during the most fearful time of (our) businesses existence. We would have paid the Hackers except for the confidence the Progent group gave us. That you could get our e-mail and essential applications back faster than five days was something I thought impossible. Every single expert I worked with or texted at Progent was totally committed on getting us back on-line and was working 24/7 on our behalf."
Progent worked together with the client to quickly identify and assign priority to the mission critical services that had to be restored in order to restart company operations:
To get going, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting the spread and performing virus removal steps. Progent then began the process of recovering Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Exchange email will not work without Active Directory, and the client's financials and MRP applications utilized SQL Server, which requires Windows AD for access to the databases.
- Active Directory
- MRP System
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then assisted with reinstallations and storage recovery on key systems. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Folder Files) on team PCs in order to recover mail data. A not too old off-line backup of the customerís accounting software made it possible to restore these essential applications back online. Although a large amount of work needed to be completed to recover completely from the Ryuk attack, essential services were recovered rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we made all customer sales."
During the next few weeks key milestones in the restoration project were accomplished in close collaboration between Progent team members and the customer:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully recovered.
- A new Palo Alto Networks 850 firewall was brought online.
- Ninety percent of the user PCs were being used by staff.
"A lot of what transpired that first week is mostly a blur for me, but I will not soon forget the countless hours each and every one of you put in to help get our company back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This time was a stunning achievement."
A possible business-ending disaster was evaded by hard-working professionals, a wide spectrum of knowledge, and close teamwork. Although in retrospect the ransomware incident detailed here could have been shut down with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well designed incident response procedures for information protection and proper patching controls, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), Iím grateful for allowing me to get some sleep after we got over the initial fire. Everyone did an fabulous effort, and if anyone is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Manchester a range of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate next-generation AI capability to detect zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.
For Manchester 24-Hour CryptoLocker Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete malware attack progression including protection, detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information protection regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of vital files, applications and VMs that have become lost or damaged due to hardware failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPPA, FIRPA, and PCI and, when needed, can assist you to recover your business-critical information. Find out more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, monitor, enhance and troubleshoot their connectivity appliances like switches, firewalls, and access points plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating time-consuming network management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that need important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your assigned Progent consultant so that any potential problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.