Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyberplague that represents an existential threat for organizations poorly prepared for an assault. Multiple generations of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict harm. Modern strains of ransomware like Ryuk and Hermes, as well as more unnamed malware, not only encrypt on-line data files but also infiltrate any accessible system protection mechanisms. Information replicated to the cloud can also be encrypted. In a poorly architected system, it can render any recovery hopeless and effectively knocks the datacenter back to square one.
Getting back services and data following a crypto-ransomware intrusion becomes a race against time as the victim struggles to contain and remove the virus and to resume business-critical operations. Because ransomware requires time to spread, assaults are frequently launched during nights and weekends, when attacks in many cases take more time to notice. This multiplies the difficulty of promptly assembling and coordinating a qualified response team.
Progent provides a variety of support services for securing businesses from ransomware attacks. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with AI capabilities to automatically discover and suppress day-zero cyber threats. Progent also can provide the assistance of veteran ransomware recovery professionals with the talent and perseverance to reconstruct a breached environment as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the codes to decrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to setup from scratch the key parts of your Information Technology environment. Without access to full data backups, this requires a broad complement of skills, well-coordinated team management, and the capability to work continuously until the task is over.
For twenty years, Progent has made available certified expert Information Technology services for businesses in Oklahoma CIty and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to efficiently identify necessary systems and organize the surviving pieces of your IT system after a ransomware attack and assemble them into an operational system.
Progent's recovery group has top notch project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and together with a client's management and IT team members to prioritize tasks and to get the most important services back on-line as soon as possible.
Case Study: A Successful Ransomware Intrusion Response
A client contacted Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, possibly using techniques exposed from the U.S. NSA organization. Ryuk goes after specific businesses with limited room for disruption and is among the most profitable versions of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago and has about 500 workers. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.
"I canít tell you enough in regards to the support Progent provided us during the most stressful period of (our) companyís life. We would have paid the cyber criminals if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and key servers back into operation sooner than five days was incredible. Every single consultant I got help from or communicated with at Progent was laser focused on getting my company operational and was working 24/7 to bail us out."
Progent worked together with the client to quickly understand and prioritize the key services that had to be recovered in order to restart departmental operations:
To get going, Progent followed Anti-virus penetration mitigation industry best practices by isolating and disinfecting systems. Progent then started the work of recovering Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the businessesí accounting and MRP applications leveraged Microsoft SQL Server, which depends on Windows AD for access to the databases.
- Microsoft Active Directory
- Electronic Messaging
- MRP System
Within 48 hours, Progent was able to restore Active Directory services to its pre-penetration state. Progent then helped perform setup and storage recovery on essential applications. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Offline Data Files) on various workstations to recover mail messages. A not too old off-line backup of the businesses accounting systems made them able to recover these required programs back online for users. Although significant work needed to be completed to recover totally from the Ryuk attack, core systems were restored rapidly:
"For the most part, the production line operation was never shut down and we produced all customer deliverables."
During the following couple of weeks critical milestones in the restoration process were completed through tight collaboration between Progent consultants and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory Control modules were completely operational.
- A new Palo Alto 850 firewall was brought online.
- Nearly all of the desktops and laptops were being used by staff.
"A lot of what occurred in the initial days is nearly entirely a fog for me, but I will not forget the countless hours each of your team put in to give us our business back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a life saver."
A probable company-ending catastrophe was evaded through the efforts of results-oriented professionals, a broad spectrum of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here would have been identified and disabled with up-to-date security technology solutions and best practices, team training, and properly executed security procedures for data backup and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), Iím grateful for making it so I could get rested after we made it over the initial push. All of you did an amazing job, and if any of your team is in the Chicago area, dinner is on me!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Oklahoma CIty a range of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services utilize modern AI technology to uncover new variants of ransomware that are able to escape detection by traditional signature-based security products.
For Oklahoma CIty 24/7 Crypto Repair Help, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the complete malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent's consultants can also help you to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid recovery of vital files, apps and virtual machines that have become unavailable or corrupted as a result of hardware failures, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can deliver world-class support to set up ProSight Data Protection Services to be compliant with regulatory standards like HIPPA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to restore your critical information. Learn more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security companies to provide centralized management and world-class security for all your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a further level of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, enhance and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are always updated, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding devices that require critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT staff and your Progent consultant so that any looming issues can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.