Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that presents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still cause harm. The latest versions of crypto-ransomware such as Ryuk and Hermes, along with daily as yet unnamed newcomers, not only do encryption of online critical data but also infect all configured system protection. Information synched to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, this can make automated recovery useless and effectively knocks the datacenter back to zero.
Getting back services and information following a ransomware event becomes a sprint against time as the victim fights to stop the spread and eradicate the ransomware and to resume business-critical operations. Due to the fact that ransomware needs time to spread, penetrations are often launched on weekends, when successful attacks in many cases take more time to detect. This compounds the difficulty of quickly mobilizing and coordinating a capable mitigation team.
Progent provides a range of services for protecting businesses from crypto-ransomware events. Among these are team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with machine learning capabilities to quickly detect and extinguish new cyber attacks. Progent in addition can provide the assistance of veteran crypto-ransomware recovery consultants with the talent and commitment to rebuild a breached environment as rapidly as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to decipher all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the critical components of your IT environment. Without access to full data backups, this requires a broad complement of IT skills, well-coordinated project management, and the ability to work continuously until the recovery project is complete.
For twenty years, Progent has made available certified expert IT services for companies in Santa Cruz and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise affords Progent the skills to quickly understand necessary systems and integrate the surviving components of your network system after a ransomware penetration and assemble them into a functioning system.
Progent's ransomware group has state-of-the-art project management systems to orchestrate the complicated restoration process. Progent appreciates the urgency of working quickly and in unison with a client's management and IT staff to assign priority to tasks and to put key systems back online as fast as possible.
Customer Story: A Successful Crypto-Ransomware Penetration Response
A small business contacted Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean government sponsored criminal gangs, suspected of using technology exposed from the U.S. NSA organization. Ryuk seeks specific organizations with limited ability to sustain disruption and is among the most profitable instances of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk event had paralyzed all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for good luck, but in the end brought in Progent.
"I cannot say enough about the support Progent gave us during the most stressful period of (our) companyís survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts afforded us. The fact that you could get our messaging and important applications back into operation in less than five days was something I thought impossible. Each expert I worked with or messaged at Progent was amazingly focused on getting us operational and was working at all hours on our behalf."
Progent worked hand in hand the client to rapidly understand and assign priority to the most important elements that needed to be restored to make it possible to resume departmental functions:
To begin, Progent adhered to Anti-virus event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of bringing back online Windows Active Directory, the core of enterprise systems built on Microsoft Windows technology. Exchange email will not work without Active Directory, and the businessesí financials and MRP applications used SQL Server, which requires Windows AD for access to the databases.
- Active Directory (AD)
- Exchange Server
In less than two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then completed setup and storage recovery on mission critical systems. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Email Off-Line Data Files) on user workstations in order to recover mail data. A recent offline backup of the businesses financials/ERP systems made them able to restore these essential applications back online for users. Although significant work needed to be completed to recover completely from the Ryuk damage, critical systems were returned to operations rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer orders."
Over the next month critical milestones in the restoration process were achieved in tight cooperation between Progent engineers and the client:
- Self-hosted web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server with over four million archived messages was restored to operations and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were fully restored.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user workstations were fully operational.
"A lot of what happened in the early hours is nearly entirely a blur for me, but my management will not soon forget the care each and every one of the team put in to give us our business back. Iíve trusted Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
A possible business-killing disaster was evaded due to dedicated experts, a broad spectrum of technical expertise, and close teamwork. Although in post mortem the ransomware virus attack described here would have been identified and stopped with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out security procedures for information protection and applying software patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of professionals has a proven track record in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for letting me get rested after we got through the first week. All of you did an incredible job, and if any of your team is around the Chicago area, dinner is the least I can do!"
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Santa Cruz a variety of remote monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services include modern artificial intelligence technology to detect new strains of ransomware that are able to evade traditional signature-based security solutions.
For Santa Cruz 24x7 Ransomware Repair Help, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also assist you to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates your backup processes and enables fast restoration of critical files, apps and VMs that have become lost or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to provide centralized control and world-class protection for your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further level of inspection for inbound email. For outbound email, the onsite gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.
- ProSight WAN Watch: Infrastructure Remote Monitoring and Management
Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, track, optimize and debug their connectivity hardware like routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always current, captures and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, finding devices that require critical updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management services.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management staff and your Progent engineering consultant so that any looming problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Read more about ProSight IT Asset Management service.