Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyber pandemic that poses an extinction-level danger for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent unnamed malware, not only do encryption of online data files but also infiltrate many configured system protection mechanisms. Files synchronized to the cloud can also be encrypted. In a vulnerable system, it can render automatic restoration useless and effectively knocks the datacenter back to zero.
Retrieving programs and information following a ransomware attack becomes a sprint against time as the targeted organization tries its best to stop lateral movement and cleanup the crypto-ransomware and to restore mission-critical operations. Due to the fact that ransomware requires time to replicate, attacks are usually launched on weekends and holidays, when successful attacks tend to take more time to detect. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable response team.
Progent makes available a variety of solutions for protecting businesses from ransomware events. These include staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with machine learning capabilities to automatically identify and extinguish zero-day cyber attacks. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the track record and commitment to re-deploy a compromised network as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the codes to decipher any of your information. Kaspersky estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the mission-critical parts of your IT environment. Absent access to full system backups, this requires a wide complement of skills, professional project management, and the ability to work non-stop until the recovery project is completed.
For two decades, Progent has made available expert Information Technology services for companies in New Orleans and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience gives Progent the capability to rapidly understand important systems and organize the surviving parts of your IT system following a ransomware event and assemble them into a functioning system.
Progent's security team of experts utilizes powerful project management tools to coordinate the complex restoration process. Progent understands the urgency of working swiftly and in concert with a client's management and IT resources to prioritize tasks and to put key applications back on line as soon as humanly possible.
Client Story: A Successful Ransomware Attack Restoration
A small business contacted Progent after their organization was crashed by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, possibly using strategies exposed from the United States NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is one of the most lucrative instances of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago and has around 500 employees. The Ryuk event had shut down all company operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately engaged Progent.
"I canít thank you enough about the help Progent gave us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the Hackers except for the confidence the Progent group afforded us. That you were able to get our messaging and production applications back into operation sooner than seven days was incredible. Every single person I talked with or e-mailed at Progent was urgently focused on getting us working again and was working 24/7 on our behalf."
Progent worked hand in hand the client to quickly identify and assign priority to the key applications that had to be restored in order to resume company operations:
To start, Progent followed AV/Malware Processes event response industry best practices by stopping the spread and removing active viruses. Progent then started the task of recovering Windows Active Directory, the foundation of enterprise systems built upon Microsoft technology. Exchange messaging will not work without AD, and the customerís MRP software leveraged Microsoft SQL, which requires Windows AD for authentication to the databases.
- Windows Active Directory
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then initiated setup and storage recovery of the most important servers. All Exchange ties and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Offline Folder Files) on various PCs to recover mail messages. A not too old off-line backup of the businesses accounting/ERP systems made it possible to return these required programs back servicing users. Although major work needed to be completed to recover totally from the Ryuk virus, core services were recovered quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer deliverables."
During the following few weeks critical milestones in the restoration process were achieved in close collaboration between Progent team members and the client:
- Self-hosted web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory modules were 100 percent functional.
- A new Palo Alto 850 security appliance was deployed.
- Most of the desktop computers were being used by staff.
"Much of what happened during the initial response is nearly entirely a haze for me, but I will not soon forget the dedication each and every one of the team accomplished to help get our business back. I have been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This situation was the most impressive ever."
A probable business catastrophe was evaded with dedicated professionals, a broad array of technical expertise, and close collaboration. Although in retrospect the crypto-ransomware penetration detailed here should have been disabled with current cyber security systems and ISO/IEC 27001 best practices, user education, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for letting me get some sleep after we got over the initial push. All of you did an incredible effort, and if anyone is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in New Orleans a variety of online monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services include modern artificial intelligence capability to detect zero-day strains of ransomware that are able to evade traditional signature-based security products.
For 24/7 New Orleans Crypto-Ransomware Removal Consulting, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. ProSight ASM protects local and cloud resources and provides a unified platform to address the entire threat progression including protection, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of vital files, applications and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight DPS to to comply with regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical information. Learn more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to provide web-based control and comprehensive protection for all your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers as well as servers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are discovered. By automating time-consuming management processes, WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating devices that require important software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your Progent consultant so all potential issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about ProSight IT Asset Management service.