Crypto-Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes unprepared for an assault. Multiple generations of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Recent strains of ransomware like Ryuk and Hermes, along with additional unnamed malware, not only encrypt on-line critical data but also infiltrate many accessible system restores and backups. Data synched to the cloud can also be ransomed. In a poorly designed environment, this can render automated recovery impossible and effectively knocks the datacenter back to square one.
Retrieving applications and data after a crypto-ransomware event becomes a sprint against the clock as the victim tries its best to contain and eradicate the crypto-ransomware and to resume mission-critical operations. Since ransomware takes time to spread, penetrations are usually launched during weekends and nights, when penetrations are likely to take more time to detect. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.
Progent has a range of support services for securing businesses from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities to intelligently detect and extinguish day-zero cyber threats. Progent also can provide the services of seasoned crypto-ransomware recovery consultants with the talent and commitment to re-deploy a compromised network as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the codes to decipher all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the essential parts of your IT environment. Without access to complete system backups, this requires a broad range of IT skills, professional team management, and the willingness to work non-stop until the job is done.
For decades, Progent has made available certified expert IT services for businesses in Virginia Beach and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned top certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise provides Progent the skills to rapidly understand important systems and integrate the remaining parts of your computer network system following a ransomware attack and rebuild them into an operational system.
Progent's security team of experts deploys top notch project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and together with a client's management and IT resources to assign priority to tasks and to put critical services back on-line as fast as humanly possible.
Customer Story: A Successful Ransomware Virus Restoration
A business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, possibly adopting approaches exposed from Americaís National Security Agency. Ryuk attacks specific organizations with little ability to sustain operational disruption and is one of the most profitable examples of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately brought in Progent.
"I canít tell you enough in regards to the support Progent provided us during the most fearful time of (our) businesses life. We would have paid the cyber criminals behind the attack except for the confidence the Progent team afforded us. The fact that you could get our messaging and production servers back in less than seven days was amazing. Each staff member I got help from or e-mailed at Progent was hell bent on getting us back online and was working 24/7 on our behalf."
Progent worked with the customer to quickly understand and assign priority to the mission critical systems that needed to be addressed to make it possible to continue company functions:
To get going, Progent followed AV/Malware Processes penetration response best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the work of restoring Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the customerís financials and MRP system used Microsoft SQL, which requires Active Directory services for security authorization to the data.
- Active Directory (AD)
- MRP System
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and hard drive recovery of key applications. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect local OST files (Outlook Email Offline Data Files) on user PCs in order to recover email data. A not too old off-line backup of the businesses financials/MRP software made them able to return these required applications back servicing users. Although significant work remained to recover fully from the Ryuk virus, essential systems were restored quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer sales."
Over the following couple of weeks key milestones in the recovery project were completed through close cooperation between Progent engineers and the client:
- In-house web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100% functional.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user workstations were back into operation.
"A huge amount of what went on in the initial days is nearly entirely a fog for me, but I will not forget the countless hours each and every one of you accomplished to give us our company back. I have been working with Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was a stunning achievement."
A possible company-ending disaster was evaded through the efforts of dedicated experts, a broad array of technical expertise, and close collaboration. Although upon completion of forensics the ransomware attack described here would have been blocked with modern cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and properly executed incident response procedures for information protection and applying software patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we got through the first week. All of you did an impressive effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in Virginia Beach a range of online monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence technology to uncover new strains of ransomware that are able to get past traditional signature-based anti-virus products.
For 24-7 Virginia Beach Crypto Remediation Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to address the complete threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you prove compliance with legal and industry information protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates your backup activities and allows fast restoration of vital data, applications and VMs that have become lost or corrupted due to hardware breakdowns, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can provide world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to deliver web-based management and world-class protection for all your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This reduces your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a further layer of inspection for inbound email. For outgoing email, the local security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, track, enhance and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept updated, copies and manages the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex network management activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating devices that need important updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about ProSight IT Asset Management service.