Crypto-Ransomware : Your Worst IT Disaster
Ransomware has become a modern cyber pandemic that poses an extinction-level danger for organizations vulnerable to an assault. Versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to inflict destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with additional unnamed newcomers, not only do encryption of on-line data but also infect any configured system backups. Files synchronized to the cloud can also be rendered useless. In a poorly architected system, this can render any recovery impossible and basically sets the network back to zero.
Restoring services and information following a ransomware attack becomes a sprint against time as the targeted business tries its best to stop the spread and remove the ransomware and to resume mission-critical activity. Because ransomware needs time to move laterally, penetrations are frequently launched at night, when successful attacks may take longer to identify. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable response team.
Progent makes available a range of services for securing organizations from ransomware attacks. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security appliances with artificial intelligence capabilities to quickly detect and disable zero-day cyber threats. Progent also offers the services of seasoned crypto-ransomware recovery professionals with the talent and perseverance to re-deploy a breached environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the keys to unencrypt all your information. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the key elements of your IT environment. Without access to full information backups, this requires a wide range of skill sets, professional team management, and the willingness to work non-stop until the task is over.
For decades, Progent has offered professional IT services for companies in San Rafael and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently understand critical systems and integrate the remaining pieces of your Information Technology system following a ransomware event and rebuild them into a functioning system.
Progent's security team deploys state-of-the-art project management tools to coordinate the complicated recovery process. Progent understands the urgency of working rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put critical applications back online as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Response
A client hired Progent after their company was crashed by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly using strategies leaked from the United States NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is among the most lucrative versions of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area with around 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
"I cannot thank you enough in regards to the care Progent provided us throughout the most stressful time of (our) companyís life. We would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. The fact that you could get our e-mail system and production servers back online sooner than one week was incredible. Every single expert I worked with or messaged at Progent was hell bent on getting our system up and was working at all hours on our behalf."
Progent worked with the client to rapidly identify and prioritize the mission critical systems that needed to be restored to make it possible to continue business operations:
To begin, Progent followed Anti-virus incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then began the task of recovering Windows Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without AD, and the client's financials and MRP applications leveraged SQL Server, which needs Active Directory for access to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
- MRP System
Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then performed reinstallations and hard drive recovery of mission critical applications. All Exchange schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Folder Files) on team desktop computers and laptops in order to recover mail data. A not too old off-line backup of the customerís accounting software made them able to restore these vital applications back servicing users. Although major work was left to recover completely from the Ryuk attack, essential services were returned to operations rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we made all customer sales."
Throughout the following few weeks important milestones in the recovery process were accomplished in tight cooperation between Progent team members and the client:
- Internal web applications were returned to operation without losing any information.
- The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control capabilities were completely functional.
- A new Palo Alto 850 firewall was installed.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what occurred that first week is nearly entirely a haze for me, but my management will not soon forget the dedication all of you accomplished to help get our business back. Iíve been working together with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A potential business-killing disaster was avoided due to results-oriented professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus incident described here would have been shut down with advanced cyber security solutions and ISO/IEC 27001 best practices, user training, and properly executed incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we got past the most critical parts. Everyone did an fabulous effort, and if anyone is around the Chicago area, a great meal is my treat!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Available from Progent
Progent offers businesses in San Rafael a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning capability to uncover zero-day strains of ransomware that can evade legacy signature-based security products.
For San Rafael 24-Hour Crypto-Ransomware Removal Support Services, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the entire threat progression including protection, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with legal and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates your backup activities and allows fast recovery of critical data, apps and VMs that have become lost or damaged due to component failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can provide advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to provide centralized control and world-class protection for all your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to diagram, monitor, enhance and debug their networking appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that require important software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management personnel and your Progent consultant so any potential issues can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can eliminate up to half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about ProSight IT Asset Management service.