Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that poses an existential threat for organizations unprepared for an attack. Versions of ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. The latest variants of ransomware like Ryuk and Hermes, as well as more as yet unnamed viruses, not only encrypt online files but also infect many available system restores and backups. Files synched to cloud environments can also be encrypted. In a poorly designed environment, it can render automated restore operations impossible and effectively sets the network back to square one.
Getting back applications and data following a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and remove the virus and to restore enterprise-critical operations. Because ransomware needs time to move laterally, attacks are frequently sprung on weekends, when attacks may take more time to detect. This multiplies the difficulty of quickly marshalling and organizing a qualified response team.
Progent makes available a variety of support services for securing businesses from ransomware events. Among these are team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with artificial intelligence capabilities to quickly identify and extinguish day-zero cyber attacks. Progent in addition offers the services of experienced crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a breached environment as urgently as possible.
Progent's Ransomware Recovery Help
Following a ransomware attack, paying the ransom in cryptocurrency does not ensure that cyber hackers will return the keys to decrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the critical parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a wide range of IT skills, professional project management, and the ability to work continuously until the recovery project is complete.
For twenty years, Progent has made available certified expert Information Technology services for companies in Rockville and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience provides Progent the ability to knowledgably understand critical systems and re-organize the surviving parts of your IT environment after a crypto-ransomware event and assemble them into an operational system.
Progent's security group has best of breed project management systems to coordinate the complex restoration process. Progent knows the importance of working swiftly and in concert with a client's management and IT resources to assign priority to tasks and to put the most important systems back on-line as soon as humanly possible.
Business Case Study: A Successful Ransomware Incident Response
A customer sought out Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, possibly using strategies leaked from the U.S. NSA organization. Ryuk seeks specific companies with little ability to sustain disruption and is among the most profitable instances of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200K) and praying for good luck, but in the end reached out to Progent.
"I cannot thank you enough about the help Progent provided us throughout the most fearful time of (our) businesses survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and essential applications back on-line in less than a week was something I thought impossible. Every single person I worked with or messaged at Progent was amazingly focused on getting us back online and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly assess and assign priority to the critical elements that had to be restored in order to continue company functions:
To start, Progent followed Anti-virus penetration mitigation industry best practices by isolating and disinfecting systems. Progent then initiated the work of restoring Microsoft AD, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Active Directory, and the client's accounting and MRP software leveraged SQL Server, which depends on Active Directory services for access to the database.
- Windows Active Directory
Within two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and storage recovery of mission critical systems. All Exchange schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on various PCs and laptops to recover email information. A recent offline backup of the customerís accounting systems made it possible to restore these vital programs back available to users. Although a large amount of work was left to recover totally from the Ryuk virus, essential systems were restored quickly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer sales."
Throughout the next couple of weeks critical milestones in the recovery project were made in close cooperation between Progent consultants and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Server containing more than four million historical emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory Control capabilities were 100% recovered.
- A new Palo Alto 850 security appliance was brought online.
- Nearly all of the user workstations were back into operation.
"So much of what was accomplished that first week is mostly a haze for me, but my management will not forget the urgency all of you accomplished to help get our company back. I have been working with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This time was a life saver."
A possible business-killing disaster was averted with hard-working experts, a broad range of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus incident described here would have been stopped with current security technology and best practices, staff education, and well thought out security procedures for information protection and applying software patches, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were contributing), Iím grateful for allowing me to get some sleep after we got past the first week. Everyone did an amazing job, and if any of your guys is in the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Rockville a range of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services incorporate next-generation machine learning technology to uncover zero-day variants of ransomware that are able to get past traditional signature-based security solutions.
For Rockville 24/7 Ransomware Recovery Support Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to manage the complete malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with legal and industry information protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also help you to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight DPS automates your backup processes and allows fast restoration of vital data, applications and virtual machines that have become lost or damaged due to component failures, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver world-class support to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security companies to provide centralized control and world-class security for all your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further level of analysis for incoming email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and debug their networking appliances such as routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating tedious management activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating devices that require important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so all potential problems can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about ProSight IT Asset Management service.