Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for organizations poorly prepared for an assault. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause destruction. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, plus more as yet unnamed newcomers, not only do encryption of on-line files but also infect many configured system restores and backups. Files synched to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can render automatic restoration impossible and effectively sets the entire system back to zero.
Recovering applications and information after a ransomware event becomes a race against the clock as the targeted business fights to stop the spread and eradicate the crypto-ransomware and to restore mission-critical activity. Since crypto-ransomware requires time to replicate, penetrations are often sprung on weekends, when successful penetrations typically take more time to recognize. This compounds the difficulty of quickly marshalling and coordinating a qualified mitigation team.
Progent has a range of solutions for securing organizations from crypto-ransomware events. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with AI technology to rapidly detect and quarantine zero-day cyber attacks. Progent also provides the assistance of experienced ransomware recovery consultants with the talent and commitment to rebuild a compromised system as soon as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware event, even paying the ransom in cryptocurrency does not ensure that cyber criminals will return the needed codes to decrypt all your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the mission-critical elements of your IT environment. Without access to essential information backups, this requires a broad complement of skills, professional project management, and the willingness to work 24x7 until the recovery project is completed.
For two decades, Progent has provided expert Information Technology services for businesses in San Francisco and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise provides Progent the ability to rapidly understand critical systems and consolidate the surviving components of your network system after a crypto-ransomware penetration and rebuild them into an operational network.
Progent's recovery group has best of breed project management applications to coordinate the complicated recovery process. Progent understands the importance of working rapidly and in unison with a customerís management and IT resources to prioritize tasks and to put key systems back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Penetration Recovery
A customer escalated to Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean government sponsored cybercriminals, possibly adopting approaches exposed from the United States National Security Agency. Ryuk goes after specific businesses with little ability to sustain disruption and is one of the most profitable instances of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago with about 500 staff members. The Ryuk event had frozen all essential operations and manufacturing processes. Most of the client's backups had been on-line at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200,000) and praying for good luck, but in the end made the decision to use Progent.
"I canít say enough in regards to the support Progent gave us throughout the most stressful period of (our) companyís life. We had little choice but to pay the cybercriminals if not for the confidence the Progent team gave us. That you could get our e-mail and essential applications back online quicker than five days was beyond my wildest dreams. Each consultant I interacted with or messaged at Progent was amazingly focused on getting us back on-line and was working 24/7 to bail us out."
Progent worked together with the client to rapidly get our arms around and assign priority to the critical areas that needed to be addressed in order to resume departmental operations:
To begin, Progent followed Anti-virus penetration mitigation best practices by halting the spread and removing active viruses. Progent then initiated the process of bringing back online Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange messaging will not work without Windows AD, and the client's MRP system utilized Microsoft SQL Server, which needs Active Directory for security authorization to the database.
- Active Directory (AD)
- Microsoft Exchange Email
- MRP System
Within two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery on key servers. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Offline Folder Files) on user workstations and laptops in order to recover mail information. A recent offline backup of the client's accounting/MRP systems made them able to return these essential programs back on-line. Although major work still had to be done to recover totally from the Ryuk virus, critical systems were restored quickly:
"For the most part, the production line operation did not miss a beat and we produced all customer sales."
During the next month key milestones in the restoration project were made in close cooperation between Progent consultants and the client:
- Self-hosted web sites were brought back up without losing any data.
- The MailStore Microsoft Exchange Server with over four million archived emails was spun up and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent restored.
- A new Palo Alto 850 firewall was installed.
- Nearly all of the desktops and laptops were functioning as before the incident.
"A huge amount of what transpired during the initial response is mostly a fog for me, but I will not soon forget the commitment each and every one of the team put in to help get our business back. I have trusted Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."
A likely company-ending catastrophe was averted with dedicated professionals, a broad array of IT skills, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration described here could have been identified and disabled with modern cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for data protection and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thank you for allowing me to get rested after we got over the initial fire. Everyone did an incredible effort, and if any of your team is in the Chicago area, a great meal is on me!"
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers companies in San Francisco a range of online monitoring and security evaluation services designed to assist you to reduce the threat from crypto-ransomware. These services incorporate next-generation AI technology to detect zero-day strains of ransomware that can get past traditional signature-based anti-virus products.
For 24-7 San Francisco Crypto-Ransomware Remediation Help, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). Available at a low monthly price, ProSight Data Protection Services automates your backup activities and enables rapid restoration of critical files, applications and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to provide web-based management and world-class protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your security perimeter. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further layer of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, finding devices that require important updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your network operating at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so that any looming issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Read more about ProSight IT Asset Management service.