Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for businesses of all sizes unprepared for an assault. Versions of ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict havoc. Recent strains of ransomware like Ryuk and Hermes, plus daily as yet unnamed newcomers, not only encrypt online data but also infiltrate any available system protection. Data synched to cloud environments can also be corrupted. In a vulnerable data protection solution, this can render automated restoration hopeless and effectively knocks the entire system back to zero.
Getting back on-line services and information after a crypto-ransomware outage becomes a sprint against the clock as the victim fights to contain the damage and eradicate the ransomware and to resume business-critical activity. Since ransomware takes time to replicate, attacks are usually launched at night, when successful penetrations typically take longer to identify. This multiplies the difficulty of promptly mobilizing and organizing an experienced mitigation team.
Progent provides a variety of solutions for protecting businesses from ransomware attacks. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with AI technology to automatically discover and disable new cyber threats. Progent also can provide the services of seasoned ransomware recovery consultants with the talent and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the needed codes to decipher all your data. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the essential elements of your IT environment. Without the availability of complete information backups, this requires a wide range of skills, professional team management, and the ability to work 24x7 until the task is over.
For decades, Progent has made available certified expert Information Technology services for companies in Petaluma and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise affords Progent the capability to efficiently identify important systems and re-organize the surviving pieces of your network environment after a ransomware event and assemble them into a functioning network.
Progent's recovery group uses top notch project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of acting quickly and in unison with a customerís management and IT resources to prioritize tasks and to get essential services back on line as soon as humanly possible.
Client Story: A Successful Ransomware Attack Restoration
A business contacted Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, suspected of using strategies leaked from Americaís National Security Agency. Ryuk attacks specific businesses with little or no tolerance for disruption and is one of the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with around 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for the best, but in the end engaged Progent.
"I canít tell you enough in regards to the expertise Progent gave us during the most fearful period of (our) companyís life. We had little choice but to pay the criminal gangs if not for the confidence the Progent group afforded us. That you could get our e-mail system and key servers back on-line sooner than one week was beyond my wildest dreams. Every single person I worked with or communicated with at Progent was absolutely committed on getting us back on-line and was working 24 by 7 on our behalf."
Progent worked with the customer to quickly understand and prioritize the essential services that had to be recovered in order to restart business functions:
To begin, Progent followed Anti-virus incident mitigation best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of restoring Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange email will not work without Active Directory, and the businessesí accounting and MRP applications leveraged Microsoft SQL, which depends on Active Directory for authentication to the databases.
- Windows Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery of needed applications. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Off-Line Folder Files) on various PCs to recover email data. A recent offline backup of the customerís financials/ERP software made them able to restore these vital programs back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk damage, essential services were returned to operations quickly:
"For the most part, the production line operation never missed a beat and we did not miss any customer shipments."
During the next few weeks critical milestones in the recovery process were made through tight collaboration between Progent consultants and the client:
- Internal web applications were brought back up with no loss of data.
- The MailStore Server exceeding four million historical messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were completely functional.
- A new Palo Alto Networks 850 firewall was deployed.
- Nearly all of the user desktops and notebooks were back into operation.
"Much of what transpired in the initial days is mostly a blur for me, but my management will not forget the care each of your team put in to give us our business back. I have been working with Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This situation was a Herculean accomplishment."
A probable enterprise-killing disaster was averted due to top-tier experts, a broad spectrum of knowledge, and close collaboration. Although upon completion of forensics the ransomware virus incident described here would have been prevented with advanced security solutions and security best practices, user and IT administrator training, and properly executed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has proven experience in ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for allowing me to get some sleep after we got through the most critical parts. Everyone did an fabulous job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Petaluma a variety of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day strains of ransomware that can get past legacy signature-based security solutions.
For Petaluma 24/7 Crypto Repair Services, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including protection, identification, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you prove compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services provide small and medium-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital data, applications and virtual machines that have become unavailable or damaged as a result of component failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery specialists can provide world-class support to configure ProSight DPS to to comply with regulatory requirements like HIPPA, FINRA, and PCI and, whenever necessary, can help you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide centralized management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, enhance and debug their connectivity hardware like routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating tedious management processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding devices that require critical updates, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT personnel and your assigned Progent consultant so any potential issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.