Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses vulnerable to an assault. Different iterations of ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause havoc. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with daily unnamed malware, not only encrypt on-line information but also infiltrate most accessible system restores and backups. Information synched to cloud environments can also be encrypted. In a vulnerable environment, this can render any restoration impossible and basically sets the network back to zero.
Getting back on-line services and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and cleanup the crypto-ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to replicate, assaults are frequently sprung at night, when successful penetrations may take more time to notice. This multiplies the difficulty of rapidly marshalling and orchestrating a qualified response team.
Progent has an assortment of support services for securing businesses from crypto-ransomware attacks. These include team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with AI capabilities to automatically detect and suppress new threats. Progent also offers the services of expert crypto-ransomware recovery professionals with the talent and commitment to rebuild a breached network as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decipher any or all of your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the vital elements of your IT environment. Absent the availability of full data backups, this calls for a broad complement of skills, top notch team management, and the willingness to work continuously until the job is complete.
For twenty years, Progent has made available expert IT services for businesses in Palo Alto and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of expertise gives Progent the skills to quickly ascertain important systems and integrate the remaining components of your computer network environment after a crypto-ransomware penetration and rebuild them into a functioning network.
Progent's recovery team has powerful project management tools to coordinate the complicated restoration process. Progent knows the importance of working swiftly and together with a customerís management and Information Technology resources to prioritize tasks and to put key systems back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Incident Response
A customer engaged Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored cybercriminals, suspected of adopting techniques leaked from the United States National Security Agency. Ryuk seeks specific organizations with limited tolerance for disruption and is among the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago and has around 500 employees. The Ryuk penetration had disabled all company operations and manufacturing processes. The majority of the client's backups had been on-line at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200K) and hoping for the best, but in the end utilized Progent.
"I canít say enough in regards to the support Progent provided us during the most critical period of (our) companyís life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. That you were able to get our e-mail system and key applications back online in less than a week was amazing. Each expert I talked with or e-mailed at Progent was laser focused on getting us back online and was working breakneck pace on our behalf."
Progent worked with the client to rapidly assess and prioritize the critical elements that had to be addressed in order to resume business functions:
To start, Progent followed Anti-virus penetration mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the process of bringing back online Microsoft AD, the key technology of enterprise environments built on Microsoft Windows technology. Exchange email will not operate without Active Directory, and the client's financials and MRP software used Microsoft SQL, which depends on Active Directory services for security authorization to the databases.
- Microsoft Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then helped perform rebuilding and storage recovery of critical systems. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Offline Folder Files) on staff workstations and laptops in order to recover mail messages. A not too old off-line backup of the customerís manufacturing software made them able to restore these vital applications back online for users. Although a large amount of work still had to be done to recover totally from the Ryuk attack, essential services were recovered quickly:
"For the most part, the production manufacturing operation survived unscathed and we made all customer orders."
Throughout the next few weeks key milestones in the restoration process were accomplished through close collaboration between Progent consultants and the client:
- Internal web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was brought on-line and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100% operational.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the user desktops and notebooks were operational.
"A lot of what was accomplished those first few days is nearly entirely a fog for me, but our team will not forget the commitment all of your team accomplished to help get our company back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This event was the most impressive ever."
A possible business-killing disaster was dodged due to top-tier professionals, a broad array of technical expertise, and close teamwork. Although in hindsight the crypto-ransomware virus attack detailed here would have been identified and blocked with current security technology solutions and NIST Cybersecurity Framework best practices, user education, and well designed security procedures for information backup and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get rested after we got through the initial fire. Everyone did an incredible job, and if anyone is in the Chicago area, a great meal is on me!"
To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Palo Alto a variety of online monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services include modern machine learning capability to uncover new variants of ransomware that are able to get past traditional signature-based security solutions.
For Palo Alto 24-Hour Ransomware Removal Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the complete threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge technologies packaged within a single agent managed from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates your backup processes and allows fast recovery of vital files, apps and VMs that have become lost or damaged as a result of hardware failures, software bugs, disasters, human mistakes, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's BDR specialists can deliver world-class support to configure ProSight DPS to to comply with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to provide centralized control and world-class security for your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of analysis for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, monitor, optimize and debug their connectivity hardware such as switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that need important updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT management personnel and your Progent consultant so all potential issues can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.