Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an existential threat for organizations unprepared for an assault. Different versions of ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict destruction. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus more as yet unnamed newcomers, not only encrypt online files but also infiltrate many available system protection. Data synched to the cloud can also be corrupted. In a poorly designed environment, it can make automatic restore operations hopeless and basically sets the entire system back to square one.
Restoring applications and information after a ransomware outage becomes a sprint against time as the targeted business fights to stop the spread and remove the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to spread, attacks are frequently launched on weekends, when successful attacks are likely to take more time to identify. This compounds the difficulty of quickly mobilizing and orchestrating a qualified response team.
Progent has a range of support services for securing enterprises from crypto-ransomware events. These include user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with AI capabilities to rapidly identify and disable zero-day cyber threats. Progent also provides the assistance of seasoned crypto-ransomware recovery professionals with the talent and commitment to restore a breached environment as urgently as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the keys to decipher any of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the critical parts of your Information Technology environment. Without the availability of essential data backups, this calls for a wide range of skill sets, professional project management, and the willingness to work continuously until the recovery project is done.
For decades, Progent has provided professional Information Technology services for businesses in Roseville and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the capability to rapidly identify necessary systems and re-organize the remaining parts of your network environment following a crypto-ransomware attack and assemble them into a functioning network.
Progent's ransomware group utilizes state-of-the-art project management tools to orchestrate the complex recovery process. Progent appreciates the importance of working rapidly and in unison with a customerís management and IT team members to prioritize tasks and to get essential systems back online as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Restoration
A client escalated to Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored cybercriminals, suspected of using strategies leaked from the United States NSA organization. Ryuk attacks specific organizations with limited tolerance for operational disruption and is among the most profitable versions of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area and has about 500 workers. The Ryuk penetration had shut down all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200K) and hoping for the best, but in the end utilized Progent.
"I cannot tell you enough in regards to the care Progent gave us during the most fearful period of (our) businesses life. We would have paid the criminal gangs if it wasnít for the confidence the Progent experts provided us. That you were able to get our e-mail and important applications back into operation quicker than five days was amazing. Each staff member I interacted with or texted at Progent was absolutely committed on getting us operational and was working 24 by 7 to bail us out."
Progent worked together with the client to rapidly understand and assign priority to the mission critical systems that had to be recovered to make it possible to continue company operations:
To get going, Progent adhered to AV/Malware Processes penetration response industry best practices by halting the spread and cleaning systems of viruses. Progent then began the work of restoring Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the client's financials and MRP applications used SQL Server, which needs Active Directory services for security authorization to the data.
- Windows Active Directory
- Microsoft Exchange Server
- MRP System
Within 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then performed reinstallations and storage recovery of key applications. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to collect local OST files (Outlook Off-Line Folder Files) on staff PCs and laptops to recover mail information. A not too old off-line backup of the client's manufacturing systems made it possible to restore these vital services back available to users. Although a large amount of work remained to recover completely from the Ryuk event, critical services were recovered rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer shipments."
Over the following few weeks key milestones in the restoration process were achieved through tight cooperation between Progent engineers and the client:
- Self-hosted web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory modules were completely operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Most of the desktop computers were functioning as before the incident.
"A huge amount of what transpired those first few days is nearly entirely a fog for me, but my team will not soon forget the commitment each of the team accomplished to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was a stunning achievement."
A probable business disaster was avoided through the efforts of results-oriented experts, a broad spectrum of knowledge, and tight teamwork. Although in post mortem the ransomware attack detailed here should have been disabled with advanced security systems and ISO/IEC 27001 best practices, team education, and well designed security procedures for information backup and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for allowing me to get rested after we got over the initial fire. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Roseville a variety of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services incorporate modern AI capability to detect zero-day strains of ransomware that are able to escape detection by traditional signature-based anti-virus products.
For 24/7/365 Roseville Ransomware Repair Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to manage the complete malware attack progression including protection, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent can also assist you to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable end-to-end service for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and allows rapid restoration of critical data, applications and VMs that have become lost or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can provide world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, when needed, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security vendors to deliver centralized management and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of inspection for incoming email. For outbound email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam and content filtering.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, optimize and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating complex network management processes, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, locating devices that require important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to half of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Learn more about ProSight IT Asset Management service.