Ransomware : Your Feared IT Disaster
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and still cause harm. The latest versions of crypto-ransomware such as Ryuk and Hermes, plus more as yet unnamed viruses, not only do encryption of on-line critical data but also infect many accessible system restores and backups. Data replicated to the cloud can also be corrupted. In a vulnerable data protection solution, this can make any restore operations impossible and basically knocks the entire system back to zero.
Restoring programs and data after a crypto-ransomware outage becomes a race against time as the victim tries its best to stop the spread and eradicate the ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware requires time to replicate, assaults are often launched during weekends and nights, when penetrations tend to take more time to notice. This multiplies the difficulty of rapidly assembling and coordinating a knowledgeable response team.
Progent makes available a variety of support services for securing businesses from crypto-ransomware attacks. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning technology to quickly discover and quarantine zero-day cyber threats. Progent also can provide the assistance of experienced ransomware recovery consultants with the talent and commitment to re-deploy a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed keys to decipher any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the essential parts of your IT environment. Without the availability of complete system backups, this requires a wide range of skills, top notch project management, and the capability to work non-stop until the recovery project is completed.
For two decades, Progent has provided expert Information Technology services for businesses in New Orleans and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise gives Progent the skills to rapidly ascertain critical systems and re-organize the surviving pieces of your Information Technology environment following a crypto-ransomware attack and rebuild them into an operational network.
Progent's recovery team utilizes best of breed project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of working quickly and in concert with a customerís management and IT team members to assign priority to tasks and to get key applications back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, possibly using strategies exposed from the U.S. NSA organization. Ryuk targets specific organizations with limited ability to sustain operational disruption and is among the most lucrative iterations of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago with around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200,000) and hoping for the best, but in the end utilized Progent.
"I canít speak enough in regards to the expertise Progent gave us during the most fearful time of (our) businesses survival. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and critical servers back online faster than one week was amazing. Each expert I worked with or texted at Progent was urgently focused on getting my company operational and was working at all hours on our behalf."
Progent worked hand in hand the client to quickly determine and assign priority to the key applications that needed to be recovered in order to restart business functions:
To get going, Progent adhered to Anti-virus event mitigation best practices by stopping the spread and performing virus removal steps. Progent then started the steps of restoring Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the customerís financials and MRP system leveraged Microsoft SQL, which depends on Active Directory services for access to the data.
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed rebuilding and hard drive recovery of needed systems. All Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Data Files) on staff PCs to recover mail information. A not too old offline backup of the customerís financials/MRP systems made it possible to recover these essential applications back servicing users. Although significant work needed to be completed to recover completely from the Ryuk event, the most important systems were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we did not miss any customer deliverables."
Throughout the following few weeks critical milestones in the recovery project were completed through close collaboration between Progent team members and the client:
- Internal web sites were brought back up without losing any data.
- The MailStore Server with over 4 million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory functions were completely restored.
- A new Palo Alto 850 firewall was set up and programmed.
- Ninety percent of the desktops and laptops were back into operation.
"So much of what transpired those first few days is nearly entirely a fog for me, but we will not soon forget the urgency each of your team accomplished to help get our company back. Iíve entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."
A possible business extinction disaster was avoided with top-tier experts, a wide array of subject matter expertise, and close collaboration. Although in post mortem the ransomware virus attack described here would have been shut down with current security technology solutions and NIST Cybersecurity Framework best practices, user training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), Iím grateful for making it so I could get some sleep after we made it over the most critical parts. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in New Orleans a portfolio of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate next-generation machine learning capability to detect zero-day variants of crypto-ransomware that can get past legacy signature-based anti-virus products.
For 24x7 New Orleans Crypto Removal Consulting, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's unique requirements and that helps you demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services provide small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a low monthly price, ProSight DPS automates your backup processes and allows fast restoration of critical data, apps and VMs that have become unavailable or damaged as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery specialists can deliver world-class support to set up ProSight DPS to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your critical information. Read more about ProSight Data Protection Services Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security companies to provide web-based control and comprehensive protection for all your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of analysis for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, optimize and debug their connectivity hardware such as routers and switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management staff and your Progent consultant so any looming issues can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.