Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus additional unnamed viruses, not only do encryption of online information but also infiltrate all accessible system backups. Information replicated to cloud environments can also be ransomed. In a vulnerable data protection solution, this can render automatic restoration impossible and basically knocks the datacenter back to square one.
Retrieving services and data following a ransomware event becomes a sprint against the clock as the targeted business tries its best to contain and eradicate the crypto-ransomware and to restore enterprise-critical operations. Because crypto-ransomware needs time to move laterally, assaults are frequently launched on weekends, when attacks typically take more time to recognize. This multiplies the difficulty of quickly assembling and organizing a knowledgeable response team.
Progent provides an assortment of services for securing organizations from ransomware attacks. These include user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security appliances with machine learning capabilities to quickly identify and quarantine zero-day cyber attacks. Progent in addition can provide the services of experienced ransomware recovery engineers with the track record and perseverance to rebuild a breached system as soon as possible.
Progent's Ransomware Restoration Help
After a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed keys to decrypt all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to setup from scratch the critical elements of your Information Technology environment. Without the availability of essential system backups, this calls for a wide range of skill sets, well-coordinated project management, and the ability to work non-stop until the job is done.
For twenty years, Progent has provided expert Information Technology services for businesses in Rancho Cordova and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the skills to rapidly determine critical systems and integrate the remaining components of your Information Technology environment following a ransomware attack and assemble them into a functioning network.
Progent's security group utilizes best of breed project management systems to coordinate the complicated restoration process. Progent appreciates the urgency of acting rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put key applications back on-line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Virus Recovery
A customer engaged Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, suspected of using approaches exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with limited room for operational disruption and is one of the most profitable versions of crypto-ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area with about 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been online at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and praying for good luck, but ultimately brought in Progent.
"I cannot speak enough about the support Progent provided us throughout the most stressful period of (our) companyís life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts gave us. That you could get our e-mail system and essential servers back quicker than a week was incredible. Every single person I worked with or messaged at Progent was laser focused on getting us operational and was working day and night on our behalf."
Progent worked with the customer to quickly determine and prioritize the critical areas that needed to be restored to make it possible to continue company functions:
To start, Progent followed Anti-virus penetration mitigation industry best practices by halting lateral movement and removing active viruses. Progent then started the work of restoring Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Exchange email will not function without AD, and the customerís MRP applications utilized Microsoft SQL, which requires Windows AD for authentication to the databases.
- Windows Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery on mission critical servers. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to assemble intact OST data files (Outlook Off-Line Data Files) on various desktop computers and laptops in order to recover mail information. A not too old offline backup of the customerís financials/MRP systems made it possible to return these vital programs back available to users. Although major work was left to recover fully from the Ryuk attack, critical services were restored rapidly:
"For the most part, the production operation did not miss a beat and we did not miss any customer deliverables."
Throughout the following few weeks critical milestones in the recovery process were accomplished in tight collaboration between Progent engineers and the customer:
- Internal web applications were restored without losing any information.
- The MailStore Exchange Server exceeding four million historical emails was brought online and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the desktop computers were functioning as before the incident.
"A lot of what occurred that first week is mostly a haze for me, but my management will not soon forget the dedication each of your team put in to give us our company back. Iíve entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This event was the most impressive ever."
A possible company-ending disaster was averted due to top-tier experts, a wide spectrum of IT skills, and close collaboration. Although upon completion of forensics the ransomware incident detailed here should have been identified and stopped with advanced security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and properly executed incident response procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), thank you for allowing me to get some sleep after we got through the initial push. All of you did an impressive effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Rancho Cordova a portfolio of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services incorporate modern AI technology to uncover new variants of ransomware that are able to get past traditional signature-based anti-virus products.
For 24/7/365 Rancho Cordova CryptoLocker Cleanup Consulting, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to address the complete threat lifecycle including blocking, detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also assist you to set up and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates and monitors your backup processes and enables fast recovery of critical data, apps and virtual machines that have become unavailable or damaged due to hardware breakdowns, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery consultants can deliver world-class support to configure ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can assist you to restore your critical data. Learn more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to provide centralized management and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard combines cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their networking appliances such as switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding devices that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your network running efficiently by checking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT personnel and your Progent consultant so all potential issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre making improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.