Ransomware : Your Worst IT Disaster
Ransomware has become a modern cyberplague that represents an enterprise-level danger for businesses vulnerable to an attack. Different iterations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with additional unnamed malware, not only do encryption of online critical data but also infect any accessible system backups. Files synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can render automated restoration useless and effectively knocks the network back to square one.
Getting back online programs and information after a crypto-ransomware event becomes a sprint against time as the targeted business struggles to contain and remove the crypto-ransomware and to resume enterprise-critical operations. Because ransomware requires time to move laterally, assaults are often sprung during weekends and nights, when successful penetrations in many cases take more time to notice. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable response team.
Progent has an assortment of support services for securing organizations from ransomware penetrations. Among these are team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security solutions with artificial intelligence capabilities to automatically discover and suppress zero-day cyber threats. Progent also offers the assistance of seasoned ransomware recovery professionals with the track record and commitment to re-deploy a compromised network as urgently as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will provide the codes to unencrypt any or all of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the key elements of your Information Technology environment. Absent the availability of full system backups, this calls for a wide complement of skill sets, well-coordinated project management, and the ability to work continuously until the task is completed.
For decades, Progent has provided certified expert IT services for companies in Nashville and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of experience affords Progent the capability to quickly determine important systems and consolidate the remaining parts of your Information Technology system after a ransomware penetration and configure them into an operational network.
Progent's ransomware group deploys powerful project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of working quickly and together with a customerís management and Information Technology staff to assign priority to tasks and to put critical systems back on line as fast as possible.
Client Case Study: A Successful Ransomware Penetration Restoration
A client sought out Progent after their network was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored criminal gangs, suspected of using techniques exposed from the United States NSA organization. Ryuk goes after specific companies with little or no ability to sustain operational disruption and is among the most lucrative instances of ransomware viruses. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago with about 500 staff members. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom (exceeding $200,000) and hoping for the best, but in the end called Progent.
"I canít speak enough about the care Progent provided us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the Hackers if not for the confidence the Progent experts provided us. The fact that you could get our e-mail system and essential servers back on-line quicker than five days was beyond my wildest dreams. Every single consultant I interacted with or messaged at Progent was absolutely committed on getting our company operational and was working 24 by 7 to bail us out."
Progent worked with the client to quickly identify and prioritize the essential services that had to be addressed in order to resume departmental operations:
To get going, Progent adhered to ransomware event response best practices by isolating and clearing infected systems. Progent then began the steps of rebuilding Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the client's accounting and MRP software utilized Microsoft SQL Server, which requires Active Directory services for security authorization to the database.
- Microsoft Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then initiated reinstallations and hard drive recovery of critical systems. All Exchange data and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Offline Data Files) on team workstations in order to recover email messages. A not too old off-line backup of the customerís accounting systems made them able to return these essential programs back available to users. Although major work was left to recover completely from the Ryuk virus, essential systems were returned to operations quickly:
"For the most part, the production line operation was never shut down and we made all customer deliverables."
During the following month critical milestones in the restoration project were accomplished through close cooperation between Progent engineers and the customer:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100% recovered.
- A new Palo Alto Networks 850 security appliance was installed.
- 90% of the user PCs were functioning as before the incident.
"Much of what went on in the initial days is mostly a fog for me, but my team will not forget the commitment all of your team put in to help get our business back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was a life saver."
A probable business extinction catastrophe was evaded through the efforts of dedicated experts, a broad spectrum of technical expertise, and tight collaboration. Although in post mortem the ransomware virus attack detailed here should have been disabled with current cyber security solutions and recognized best practices, user and IT administrator education, and appropriate incident response procedures for backup and applying software patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for allowing me to get rested after we got over the initial fire. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, dinner is on me!"
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Nashville a variety of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include modern artificial intelligence technology to uncover new strains of ransomware that can evade traditional signature-based security solutions.
For 24x7 Nashville Crypto-Ransomware Removal Help, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to address the complete malware attack progression including blocking, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also help you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates your backup processes and enables fast restoration of vital data, applications and VMs that have become lost or corrupted as a result of hardware breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver web-based control and world-class protection for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further level of inspection for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating appliances that need critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that all looming problems can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By updating and organizing your IT documentation, you can save up to half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.