Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyber pandemic that represents an extinction-level danger for organizations vulnerable to an assault. Multiple generations of ransomware such as CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. The latest strains of ransomware such as Ryuk and Hermes, plus more unnamed viruses, not only do encryption of online information but also infect all accessible system backups. Files replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, it can render automated restoration impossible and effectively knocks the entire system back to square one.
Recovering services and data after a ransomware attack becomes a race against the clock as the targeted organization fights to contain and clear the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware takes time to spread, assaults are frequently sprung on weekends, when attacks tend to take more time to identify. This multiplies the difficulty of quickly marshalling and orchestrating a knowledgeable mitigation team.
Progent makes available an assortment of services for securing organizations from ransomware events. Among these are team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with AI capabilities to rapidly discover and quarantine zero-day cyber threats. Progent in addition offers the services of experienced crypto-ransomware recovery engineers with the talent and commitment to restore a compromised system as urgently as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to unencrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the essential parts of your IT environment. Without access to full information backups, this calls for a wide complement of IT skills, professional team management, and the capability to work continuously until the task is finished.
For decades, Progent has made available certified expert IT services for businesses in Naples and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly identify critical systems and integrate the remaining components of your network system following a ransomware penetration and assemble them into a functioning network.
Progent's recovery team utilizes state-of-the-art project management applications to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and in concert with a customerís management and IT resources to assign priority to tasks and to get essential applications back on-line as fast as possible.
Business Case Study: A Successful Ransomware Incident Recovery
A small business contacted Progent after their company was crashed by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, suspected of adopting technology leaked from Americaís National Security Agency. Ryuk attacks specific businesses with little or no room for disruption and is among the most lucrative versions of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago with around 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client was evaluating paying the ransom (in excess of $200K) and praying for good luck, but in the end reached out to Progent.
"I canít speak enough in regards to the help Progent gave us throughout the most fearful period of (our) businesses survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group afforded us. That you could get our messaging and critical applications back sooner than five days was something I thought impossible. Each staff member I worked with or communicated with at Progent was totally committed on getting us working again and was working 24/7 to bail us out."
Progent worked with the customer to rapidly identify and prioritize the most important applications that had to be addressed to make it possible to resume departmental operations:
To get going, Progent adhered to Anti-virus penetration mitigation best practices by stopping the spread and disinfecting systems. Progent then started the task of restoring Microsoft AD, the core of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the customerís accounting and MRP applications used SQL Server, which needs Active Directory services for access to the data.
- Windows Active Directory
- Microsoft Exchange
Within two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery of key systems. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Offline Folder Files) on team desktop computers in order to recover mail information. A not too old off-line backup of the client's financials/MRP software made it possible to return these essential services back online. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, essential services were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we delivered all customer orders."
During the next couple of weeks critical milestones in the recovery process were accomplished in tight cooperation between Progent engineers and the client:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Exchange Server exceeding four million historical messages was brought online and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory Control capabilities were 100 percent functional.
- A new Palo Alto 850 firewall was brought on-line.
- 90% of the user workstations were being used by staff.
"A lot of what was accomplished in the early hours is nearly entirely a fog for me, but my management will not forget the countless hours each of you put in to help get our business back. Iíve trusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."
A possible business catastrophe was averted due to hard-working professionals, a wide spectrum of IT skills, and close collaboration. Although in hindsight the ransomware penetration described here could have been prevented with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of professionals has proven experience in crypto-ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get some sleep after we made it past the initial fire. All of you did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Naples a portfolio of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence technology to detect new variants of crypto-ransomware that are able to evade traditional signature-based security solutions.
For 24x7x365 Naples Crypto Removal Experts, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a single platform to automate the entire malware attack lifecycle including protection, identification, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection services offer economical in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your company's unique requirements and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. For a fixed monthly rate, ProSight Data Protection Services automates your backup activities and allows fast recovery of vital files, applications and virtual machines that have become lost or corrupted due to hardware breakdowns, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical information. Read more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security vendors to provide web-based control and world-class protection for your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of analysis for inbound email. For outbound email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map out, track, optimize and debug their connectivity hardware such as routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, locating appliances that need important software patches, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.