Ransomware : Your Crippling IT Catastrophe
Ransomware has become a too-frequent cyberplague that presents an existential threat for organizations unprepared for an attack. Versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause destruction. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line critical data but also infiltrate any available system protection. Data replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, this can make automatic restore operations hopeless and basically knocks the network back to square one.
Getting back programs and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted organization tries its best to stop lateral movement and cleanup the ransomware and to restore enterprise-critical operations. Since ransomware takes time to replicate, penetrations are usually sprung at night, when penetrations typically take longer to recognize. This compounds the difficulty of rapidly assembling and organizing a knowledgeable mitigation team.
Progent makes available a range of services for securing businesses from ransomware events. These include team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security appliances with machine learning technology to automatically discover and extinguish day-zero cyber threats. Progent also offers the services of experienced ransomware recovery professionals with the track record and perseverance to reconstruct a breached network as rapidly as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the codes to unencrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the key parts of your Information Technology environment. Absent access to complete system backups, this requires a wide range of skills, top notch project management, and the capability to work continuously until the task is done.
For two decades, Progent has offered professional IT services for companies in Fresno and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained advanced certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise gives Progent the skills to efficiently understand important systems and consolidate the surviving components of your IT system following a ransomware penetration and rebuild them into an operational network.
Progent's security team of experts deploys best of breed project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of acting rapidly and in unison with a customerís management and IT team members to assign priority to tasks and to get essential applications back online as soon as possible.
Case Study: A Successful Ransomware Attack Recovery
A small business contacted Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, possibly adopting techniques leaked from Americaís NSA organization. Ryuk attacks specific organizations with little room for disruption and is among the most profitable iterations of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk event had shut down all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.
"I cannot thank you enough about the care Progent provided us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and important applications back on-line sooner than a week was something I thought impossible. Each staff member I talked with or communicated with at Progent was totally committed on getting us back online and was working all day and night on our behalf."
Progent worked together with the client to quickly assess and prioritize the mission critical applications that needed to be addressed to make it possible to restart business functions:
To get going, Progent followed Anti-virus penetration response industry best practices by stopping the spread and removing active viruses. Progent then started the task of bringing back online Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not operate without AD, and the customerís MRP system utilized Microsoft SQL Server, which requires Active Directory services for authentication to the databases.
- Microsoft Active Directory
- Electronic Mail
- MRP System
In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and storage recovery on the most important systems. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Data Files) on team PCs and laptops in order to recover email messages. A not too old offline backup of the businesses financials/ERP software made it possible to return these essential programs back online. Although a large amount of work was left to recover fully from the Ryuk attack, the most important systems were returned to operations quickly:
"For the most part, the assembly line operation did not miss a beat and we made all customer deliverables."
Over the following few weeks important milestones in the restoration process were accomplished through tight collaboration between Progent consultants and the customer:
- Internal web applications were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was deployed.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what occurred that first week is nearly entirely a blur for me, but our team will not forget the care all of your team accomplished to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a life saver."
A probable enterprise-killing disaster was evaded by dedicated experts, a broad array of IT skills, and close teamwork. Although in hindsight the ransomware virus attack described here should have been identified and blocked with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), Iím grateful for allowing me to get rested after we got past the initial fire. Everyone did an amazing job, and if any of your team is visiting the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Fresno a range of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of crypto-ransomware that are able to evade traditional signature-based security products.
For Fresno 24x7 Ransomware Cleanup Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a single platform to automate the entire threat progression including protection, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you prove compliance with legal and industry information protection standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent's consultants can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and medium-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of vital files, applications and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to configure ProSight Data Protection Services to to comply with regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security companies to deliver centralized management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further level of inspection for inbound email. For outbound email, the local gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when problems are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, locating devices that need important software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT staff and your Progent engineering consultant so that any potential problems can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can save as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.