Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that represents an existential danger for businesses of all sizes unprepared for an assault. Versions of ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as additional unnamed malware, not only do encryption of on-line data but also infiltrate most configured system backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, it can make automatic recovery impossible and basically knocks the network back to square one.
Getting back on-line applications and data after a ransomware attack becomes a race against time as the targeted organization fights to contain and clear the ransomware and to restore business-critical operations. Because ransomware requires time to replicate, assaults are often launched at night, when successful attacks may take more time to recognize. This multiplies the difficulty of promptly assembling and orchestrating an experienced response team.
Progent offers a range of help services for securing organizations from ransomware attacks. Among these are team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence capabilities to intelligently discover and quarantine zero-day threats. Progent in addition can provide the services of veteran ransomware recovery professionals with the track record and perseverance to restore a compromised system as rapidly as possible.
Progent's Ransomware Recovery Services
Following a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the needed codes to unencrypt any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the essential components of your Information Technology environment. Without access to complete data backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work non-stop until the recovery project is over.
For decades, Progent has offered professional Information Technology services for companies in Oklahoma CIty and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the ability to quickly identify critical systems and re-organize the surviving components of your network system after a ransomware event and rebuild them into a functioning system.
Progent's security team uses top notch project management applications to orchestrate the complex recovery process. Progent knows the importance of working quickly and together with a client's management and Information Technology team members to prioritize tasks and to put critical systems back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Attack Restoration
A client escalated to Progent after their network system was taken over by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk targets specific businesses with little or no room for disruption and is among the most lucrative iterations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 workers. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for the best, but in the end engaged Progent.
"I cannot tell you enough about the care Progent provided us during the most fearful period of (our) companyís existence. We would have paid the cyber criminals if not for the confidence the Progent team afforded us. The fact that you were able to get our messaging and production applications back into operation sooner than five days was earth shattering. Every single consultant I talked with or messaged at Progent was urgently focused on getting us working again and was working 24 by 7 on our behalf."
Progent worked together with the customer to rapidly understand and prioritize the critical services that had to be addressed in order to continue departmental operations:
To begin, Progent adhered to Anti-virus penetration response best practices by isolating and removing active viruses. Progent then began the work of restoring Windows Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without AD, and the businessesí MRP system utilized SQL Server, which requires Active Directory for security authorization to the databases.
- Microsoft Active Directory
- Electronic Mail
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and storage recovery on the most important applications. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Folder Files) on staff PCs to recover email data. A not too old off-line backup of the businesses manufacturing software made it possible to restore these essential services back on-line. Although a lot of work remained to recover totally from the Ryuk attack, essential services were recovered rapidly:
"For the most part, the production operation was never shut down and we did not miss any customer shipments."
During the following month important milestones in the recovery process were made in close cooperation between Progent consultants and the customer:
- Self-hosted web sites were brought back up without losing any data.
- The MailStore Exchange Server with over four million archived emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were completely restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the user workstations were back into operation.
"So much of what transpired during the initial response is nearly entirely a blur for me, but my management will not soon forget the countless hours each of you accomplished to help get our business back. Iíve utilized Progent for the past 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was a life saver."
A possible business extinction catastrophe was avoided with dedicated experts, a wide spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware incident detailed here could have been prevented with current security technology and recognized best practices, user and IT administrator education, and well thought out security procedures for information protection and proper patching controls, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get rested after we got over the first week. Everyone did an incredible job, and if anyone is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Oklahoma CIty a portfolio of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services incorporate modern machine learning capability to uncover new variants of ransomware that can escape detection by legacy signature-based anti-virus solutions.
For Oklahoma CIty 24-7 Ransomware Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your company's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent's consultants can also assist you to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates your backup activities and enables rapid restoration of vital files, applications and virtual machines that have become unavailable or damaged due to hardware failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to deliver centralized control and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, optimize and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when issues are detected. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, finding devices that require critical software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the health of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that any looming issues can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect data about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about ProSight IT Asset Management service.