Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes unprepared for an attack. Multiple generations of ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict destruction. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with more as yet unnamed malware, not only do encryption of on-line files but also infect any configured system backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can render automatic recovery impossible and effectively sets the datacenter back to square one.
Recovering programs and data after a ransomware event becomes a sprint against the clock as the targeted business fights to contain the damage and eradicate the ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware takes time to replicate, assaults are frequently launched at night, when penetrations in many cases take more time to uncover. This multiplies the difficulty of promptly assembling and orchestrating a qualified mitigation team.
Progent offers an assortment of solutions for securing businesses from ransomware events. Among these are user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security gateways with machine learning capabilities to quickly identify and extinguish day-zero cyber threats. Progent in addition can provide the services of seasoned ransomware recovery consultants with the talent and commitment to rebuild a compromised system as soon as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the keys to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the mission-critical components of your IT environment. Absent access to full data backups, this calls for a broad complement of skill sets, top notch team management, and the ability to work 24x7 until the recovery project is completed.
For twenty years, Progent has made available expert Information Technology services for companies in Midland and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of experience provides Progent the skills to quickly understand critical systems and organize the remaining components of your IT environment following a crypto-ransomware penetration and configure them into a functioning system.
Progent's security team of experts uses best of breed project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of working quickly and together with a customerís management and IT staff to assign priority to tasks and to get key services back on line as fast as humanly possible.
Case Study: A Successful Ransomware Intrusion Recovery
A client sought out Progent after their company was crashed by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored hackers, suspected of using algorithms exposed from the United States NSA organization. Ryuk seeks specific businesses with little ability to sustain operational disruption and is one of the most profitable iterations of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk attack had shut down all essential operations and manufacturing processes. The majority of the client's backups had been directly accessible at the beginning of the attack and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for the best, but in the end engaged Progent.
"I canít tell you enough about the help Progent gave us throughout the most stressful time of (our) companyís life. We would have paid the cyber criminals except for the confidence the Progent group provided us. The fact that you could get our e-mail and essential servers back in less than five days was something I thought impossible. Each consultant I worked with or e-mailed at Progent was absolutely committed on getting us back online and was working non-stop on our behalf."
Progent worked together with the client to quickly understand and assign priority to the key elements that needed to be restored in order to resume company operations:
To begin, Progent followed Anti-virus event response best practices by halting lateral movement and cleaning systems of viruses. Progent then began the task of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Exchange email will not operate without Active Directory, and the customerís MRP system leveraged Microsoft SQL, which depends on Windows AD for authentication to the data.
- Windows Active Directory
Within 2 days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and storage recovery on needed systems. All Exchange schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Data Files) on user desktop computers and laptops to recover email information. A recent off-line backup of the client's financials/ERP software made them able to recover these vital services back servicing users. Although significant work remained to recover totally from the Ryuk virus, the most important systems were restored rapidly:
"For the most part, the production manufacturing operation never missed a beat and we delivered all customer deliverables."
Throughout the following month important milestones in the restoration process were made through close cooperation between Progent consultants and the customer:
- Internal web sites were restored without losing any information.
- The MailStore Exchange Server containing more than 4 million archived emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control functions were 100% restored.
- A new Palo Alto 850 security appliance was deployed.
- Nearly all of the user desktops were functioning as before the incident.
"So much of what went on during the initial response is mostly a blur for me, but we will not forget the commitment all of the team accomplished to give us our business back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."
A likely business catastrophe was avoided with top-tier professionals, a wide spectrum of IT skills, and tight teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here could have been identified and stopped with current cyber security solutions and best practices, staff education, and properly executed incident response procedures for data backup and applying software patches, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for making it so I could get rested after we made it past the most critical parts. All of you did an amazing effort, and if any of your team is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Midland a portfolio of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services incorporate modern artificial intelligence capability to detect new strains of ransomware that can evade traditional signature-based anti-virus solutions.
For Midland 24-7 Ransomware Repair Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to address the entire threat progression including filtering, detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with government and industry data security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also assist you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid restoration of vital data, applications and virtual machines that have become unavailable or corrupted due to component failures, software glitches, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical information. Read more about ProSight DPS Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, track, optimize and debug their connectivity hardware such as switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding appliances that require important software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT personnel and your Progent consultant so any looming problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hardware solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.