Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses vulnerable to an assault. Different iterations of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still cause harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as frequent unnamed viruses, not only encrypt online information but also infect all configured system backups. Data replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, this can make any recovery useless and basically knocks the network back to zero.
Recovering applications and information following a ransomware attack becomes a sprint against the clock as the targeted organization struggles to stop the spread and remove the ransomware and to resume mission-critical activity. Due to the fact that ransomware takes time to spread, penetrations are usually sprung at night, when successful attacks tend to take longer to uncover. This compounds the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.
Progent makes available a variety of help services for protecting organizations from ransomware attacks. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security gateways with artificial intelligence technology to quickly discover and suppress zero-day cyber attacks. Progent also provides the assistance of veteran ransomware recovery engineers with the skills and perseverance to rebuild a breached system as urgently as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to decipher any of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the critical elements of your IT environment. Without access to essential system backups, this requires a broad range of IT skills, top notch project management, and the capability to work continuously until the task is over.
For two decades, Progent has made available certified expert Information Technology services for businesses in Schaumburg and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience provides Progent the ability to rapidly determine necessary systems and integrate the surviving components of your IT system following a ransomware event and assemble them into an operational system.
Progent's ransomware team uses state-of-the-art project management tools to coordinate the complicated restoration process. Progent understands the urgency of acting rapidly and in unison with a customerís management and Information Technology staff to prioritize tasks and to get the most important systems back on line as fast as possible.
Client Story: A Successful Crypto-Ransomware Virus Response
A client contacted Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean state cybercriminals, suspected of using approaches exposed from the United States NSA organization. Ryuk seeks specific organizations with little room for operational disruption and is one of the most profitable incarnations of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk intrusion had frozen all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the beginning of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but ultimately made the decision to use Progent.
"I canít say enough about the help Progent provided us throughout the most critical time of (our) companyís survival. We may have had to pay the Hackers if it wasnít for the confidence the Progent experts gave us. The fact that you could get our messaging and important servers back online in less than a week was amazing. Each person I worked with or texted at Progent was amazingly focused on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly assess and assign priority to the mission critical areas that had to be restored to make it possible to continue departmental functions:
To begin, Progent followed ransomware event mitigation industry best practices by stopping the spread and clearing infected systems. Progent then initiated the process of bringing back online Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the client's MRP system leveraged SQL Server, which depends on Active Directory for authentication to the databases.
- Active Directory (AD)
Within 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then helped perform rebuilding and storage recovery on key applications. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Data Files) on user desktop computers in order to recover mail data. A not too old offline backup of the customerís accounting/MRP systems made it possible to recover these required programs back on-line. Although significant work needed to be completed to recover fully from the Ryuk event, essential systems were restored rapidly:
"For the most part, the assembly line operation never missed a beat and we produced all customer shipments."
During the following couple of weeks key milestones in the recovery project were made through tight cooperation between Progent consultants and the customer:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server with over four million historical messages was spun up and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were fully restored.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Most of the desktop computers were functioning as before the incident.
"A lot of what transpired in the initial days is nearly entirely a fog for me, but I will not soon forget the urgency all of the team accomplished to help get our business back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was a life saver."
A likely company-ending catastrophe was averted with dedicated professionals, a broad range of IT skills, and tight teamwork. Although in retrospect the ransomware virus incident described here would have been disabled with up-to-date security solutions and recognized best practices, team training, and appropriate security procedures for information protection and proper patching controls, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we got through the most critical parts. Everyone did an fabulous job, and if any of your guys is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Schaumburg a variety of online monitoring and security assessment services to help you to reduce the threat from ransomware. These services incorporate modern AI technology to uncover new variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.
For Schaumburg 24/7/365 Crypto Repair Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based AV products. ProSight ASM safeguards local and cloud-based resources and provides a single platform to manage the entire malware attack progression including blocking, detection, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of vital data, apps and virtual machines that have become unavailable or damaged due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can provide advanced support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of inspection for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, enhance and debug their connectivity appliances such as routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, locating devices that need critical updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management staff and your Progent engineering consultant so that any potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.