Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyber pandemic that presents an existential danger for organizations vulnerable to an attack. Different iterations of crypto-ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, as well as frequent unnamed viruses, not only do encryption of online information but also infiltrate many available system protection. Information synched to the cloud can also be ransomed. In a vulnerable system, this can make automatic recovery useless and basically sets the network back to square one.
Restoring programs and data after a ransomware event becomes a sprint against the clock as the targeted organization fights to contain the damage and eradicate the crypto-ransomware and to restore enterprise-critical activity. Since ransomware needs time to move laterally, assaults are frequently sprung on weekends, when successful penetrations in many cases take more time to detect. This compounds the difficulty of quickly mobilizing and coordinating an experienced response team.
Progent offers a variety of support services for securing enterprises from ransomware attacks. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with AI technology to automatically identify and suppress zero-day cyber attacks. Progent also offers the services of experienced crypto-ransomware recovery consultants with the talent and commitment to restore a breached system as soon as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed codes to decrypt any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the mission-critical elements of your Information Technology environment. Absent access to complete system backups, this requires a wide range of IT skills, well-coordinated team management, and the ability to work non-stop until the recovery project is finished.
For decades, Progent has made available professional IT services for companies in Sacramento and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the capability to efficiently ascertain necessary systems and re-organize the remaining parts of your IT environment following a crypto-ransomware attack and configure them into a functioning network.
Progent's security team utilizes top notch project management applications to coordinate the complex restoration process. Progent understands the urgency of acting quickly and in concert with a client's management and IT team members to prioritize tasks and to put key systems back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Recovery
A client sought out Progent after their organization was brought down by the Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored cybercriminals, possibly using strategies leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little ability to sustain disruption and is one of the most lucrative incarnations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's backups had been online at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately engaged Progent.
"I cannot tell you enough about the expertise Progent provided us throughout the most critical period of (our) companyís existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts gave us. That you could get our e-mail system and important servers back on-line faster than 1 week was earth shattering. Every single expert I talked with or communicated with at Progent was hell bent on getting our system up and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly identify and prioritize the key areas that had to be addressed in order to continue company operations:
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping lateral movement and removing active viruses. Progent then started the steps of restoring Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without AD, and the customerís MRP software leveraged Microsoft SQL Server, which needs Windows AD for security authorization to the information.
- Active Directory
- Electronic Messaging
- MRP System
Within 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then accomplished reinstallations and storage recovery of critical systems. All Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect local OST files (Outlook Offline Data Files) on user workstations to recover email information. A not too old offline backup of the customerís accounting/MRP systems made it possible to recover these vital applications back available to users. Although major work still had to be done to recover fully from the Ryuk event, core services were restored rapidly:
"For the most part, the production manufacturing operation survived unscathed and we made all customer sales."
Over the following few weeks important milestones in the recovery process were achieved in close collaboration between Progent consultants and the customer:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Server exceeding 4 million archived emails was spun up and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control functions were 100% functional.
- A new Palo Alto Networks 850 firewall was deployed.
- Nearly all of the user desktops and notebooks were fully operational.
"A lot of what transpired that first week is nearly entirely a fog for me, but we will not forget the care each of you accomplished to give us our business back. Iíve been working with Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a Herculean accomplishment."
A probable business-ending catastrophe was avoided through the efforts of results-oriented professionals, a wide range of subject matter expertise, and tight teamwork. Although in retrospect the crypto-ransomware virus attack detailed here should have been identified and blocked with modern cyber security solutions and ISO/IEC 27001 best practices, user education, and well designed security procedures for data backup and applying software patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for making it so I could get some sleep after we made it over the initial push. All of you did an fabulous effort, and if any of your team is around the Chicago area, dinner is on me!"
To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Sacramento a variety of online monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence capability to uncover new strains of crypto-ransomware that are able to get past traditional signature-based security products.
For 24-Hour Sacramento Crypto Removal Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the complete malware attack progression including filtering, detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you prove compliance with government and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost and fully managed service for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates and monitors your backup activities and enables rapid recovery of vital data, applications and virtual machines that have become lost or damaged as a result of hardware failures, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, when needed, can help you to restore your business-critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to provide centralized management and world-class protection for all your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and keeps most threats from reaching your network firewall. This reduces your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of inspection for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and debug their networking appliances like switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that need important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your network operating at peak levels by tracking the state of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.