Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an existential threat for businesses of all sizes vulnerable to an assault. Versions of crypto-ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus additional as yet unnamed newcomers, not only encrypt online critical data but also infect any available system restores and backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can render any recovery impossible and basically sets the datacenter back to square one.
Getting back online applications and data after a ransomware intrusion becomes a race against time as the victim tries its best to contain the damage and eradicate the virus and to resume mission-critical activity. Since ransomware needs time to spread, attacks are frequently launched on weekends and holidays, when penetrations tend to take more time to detect. This compounds the difficulty of rapidly marshalling and orchestrating a qualified response team.
Progent has a variety of help services for protecting organizations from ransomware penetrations. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI technology to quickly discover and quarantine day-zero threats. Progent in addition offers the services of seasoned ransomware recovery engineers with the skills and commitment to re-deploy a breached system as rapidly as possible.
Progent's Ransomware Restoration Help
Soon after a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed keys to decrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the key components of your Information Technology environment. Absent the availability of complete data backups, this requires a wide range of skills, well-coordinated team management, and the willingness to work non-stop until the job is done.
For decades, Progent has made available expert IT services for businesses in Winston-Salem and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the ability to quickly identify necessary systems and organize the remaining pieces of your Information Technology system after a crypto-ransomware event and assemble them into an operational system.
Progent's recovery group uses best of breed project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of working quickly and in concert with a client's management and IT team members to assign priority to tasks and to get the most important applications back on-line as soon as possible.
Client Case Study: A Successful Ransomware Incident Restoration
A small business engaged Progent after their network system was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, possibly using technology leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little room for disruption and is among the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had disabled all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200K) and praying for good luck, but in the end brought in Progent.
"I canít thank you enough about the support Progent gave us during the most critical time of (our) companyís survival. We most likely would have paid the cyber criminals except for the confidence the Progent team gave us. The fact that you could get our e-mail system and essential applications back on-line quicker than 1 week was beyond my wildest dreams. Each person I interacted with or e-mailed at Progent was urgently focused on getting us working again and was working at all hours to bail us out."
Progent worked together with the client to rapidly get our arms around and assign priority to the critical elements that had to be restored in order to continue company operations:
To begin, Progent adhered to Anti-virus incident response best practices by isolating and performing virus removal steps. Progent then initiated the process of rebuilding Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customerís accounting and MRP applications used Microsoft SQL, which needs Active Directory for access to the database.
- Windows Active Directory
- MRP System
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery on mission critical servers. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect local OST data files (Outlook Email Offline Folder Files) on staff PCs to recover email information. A not too old off-line backup of the client's accounting systems made them able to return these vital applications back servicing users. Although a large amount of work remained to recover completely from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the production line operation did not miss a beat and we made all customer sales."
During the following month important milestones in the recovery process were made through tight cooperation between Progent engineers and the customer:
- In-house web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server with over four million archived messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the user desktops were operational.
"A huge amount of what occurred in the initial days is mostly a fog for me, but I will not forget the dedication each and every one of the team accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and every time Progent has shined and delivered as promised. This situation was a stunning achievement."
A possible business catastrophe was evaded through the efforts of top-tier experts, a wide array of IT skills, and tight collaboration. Although in hindsight the ransomware penetration detailed here would have been disabled with up-to-date cyber security technology solutions and security best practices, user and IT administrator education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we made it past the most critical parts. All of you did an impressive effort, and if anyone is in the Chicago area, a great meal is the least I can do!"
To read or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Winston-Salem a variety of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover new variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.
For 24/7/365 Winston-Salem Ransomware Recovery Help, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a single platform to address the entire threat lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also assist your company to set up and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services provide small and medium-sized businesses an affordable and fully managed service for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates your backup activities and allows rapid restoration of vital data, applications and virtual machines that have become unavailable or damaged due to hardware breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver advanced support to configure ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical information. Read more about ProSight DPS Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to deliver centralized control and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, locating appliances that require important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so all potential problems can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.