Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyberplague that poses an existential threat for businesses vulnerable to an attack. Multiple generations of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional unnamed malware, not only do encryption of online data files but also infect most available system protection. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed system, it can render automated restoration impossible and effectively sets the datacenter back to square one.
Restoring applications and data after a ransomware attack becomes a sprint against time as the victim fights to stop the spread and clear the crypto-ransomware and to resume business-critical operations. Because ransomware requires time to move laterally, attacks are frequently sprung at night, when penetrations in many cases take more time to discover. This compounds the difficulty of quickly mobilizing and coordinating an experienced mitigation team.
Progent offers an assortment of solutions for securing enterprises from ransomware penetrations. Among these are team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with machine learning capabilities to intelligently discover and suppress new cyber threats. Progent in addition offers the assistance of seasoned ransomware recovery professionals with the track record and commitment to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decipher any of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of essential data backups, this requires a broad complement of skills, professional team management, and the ability to work 24x7 until the job is finished.
For two decades, Progent has made available professional IT services for businesses in Cheyenne and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience gives Progent the capability to efficiently ascertain critical systems and integrate the remaining components of your Information Technology environment after a ransomware attack and assemble them into a functioning network.
Progent's security team of experts utilizes powerful project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of working rapidly and together with a client's management and Information Technology resources to prioritize tasks and to put essential applications back online as fast as humanly possible.
Business Case Study: A Successful Ransomware Attack Restoration
A small business contacted Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored hackers, possibly using techniques exposed from the U.S. National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is among the most lucrative versions of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago with around 500 staff members. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end made the decision to use Progent.
"I canít say enough about the help Progent provided us throughout the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent group gave us. That you were able to get our e-mail system and critical applications back sooner than five days was incredible. Every single consultant I talked with or messaged at Progent was hell bent on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly identify and prioritize the essential systems that needed to be restored to make it possible to restart departmental operations:
To get going, Progent adhered to ransomware penetration response best practices by isolating and cleaning up infected systems. Progent then started the steps of restoring Microsoft AD, the core of enterprise systems built on Microsoft Windows technology. Exchange email will not work without Windows AD, and the customerís MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the data.
- Active Directory (AD)
- Electronic Messaging
In less than 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform rebuilding and storage recovery on the most important applications. All Microsoft Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST files (Outlook Off-Line Data Files) on team workstations and laptops in order to recover mail messages. A recent off-line backup of the businesses manufacturing software made them able to return these required services back online for users. Although a large amount of work was left to recover completely from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer orders."
During the following couple of weeks critical milestones in the recovery process were accomplished in close cooperation between Progent team members and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100 percent restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the desktops and laptops were fully operational.
"Much of what transpired during the initial response is nearly entirely a fog for me, but we will not forget the care each and every one of your team put in to help get our company back. Iíve utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This event was the most impressive ever."
A likely business catastrophe was avoided by results-oriented professionals, a wide range of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware attack described here would have been identified and disabled with modern cyber security systems and security best practices, user and IT administrator training, and well thought out incident response procedures for backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thanks very much for making it so I could get some sleep after we made it past the initial push. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Cheyenne a portfolio of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include next-generation AI technology to detect zero-day strains of crypto-ransomware that are able to get past legacy signature-based security solutions.
For Cheyenne 24-Hour Crypto Cleanup Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to manage the entire threat progression including protection, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your company's unique needs and that allows you prove compliance with government and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and enables fast recovery of vital files, applications and virtual machines that have become unavailable or damaged due to hardware failures, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup specialists can provide world-class support to configure ProSight DPS to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security vendors to deliver web-based control and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, monitor, enhance and debug their networking hardware such as switches, firewalls, and access points plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating tedious network management processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, finding appliances that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so any potential problems can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Read more about ProSight IT Asset Management service.