Ransomware : Your Worst IT Disaster
Ransomware has become a modern cyberplague that poses an extinction-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict harm. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, along with more unnamed viruses, not only do encryption of online data but also infect any configured system restores and backups. Data replicated to cloud environments can also be encrypted. In a poorly architected system, this can render automated restoration impossible and effectively knocks the datacenter back to zero.
Restoring applications and data after a crypto-ransomware attack becomes a sprint against time as the targeted organization struggles to stop the spread and clear the ransomware and to restore business-critical operations. Since crypto-ransomware takes time to spread, attacks are usually launched at night, when attacks may take more time to identify. This multiplies the difficulty of rapidly assembling and coordinating an experienced response team.
Progent makes available a variety of services for securing enterprises from crypto-ransomware attacks. Among these are team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning capabilities to automatically discover and disable zero-day threats. Progent in addition provides the assistance of experienced crypto-ransomware recovery professionals with the track record and commitment to re-deploy a breached environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the keys to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to setup from scratch the key parts of your IT environment. Without access to essential system backups, this calls for a broad range of skill sets, top notch project management, and the ability to work 24x7 until the task is done.
For decades, Progent has offered expert IT services for companies in Tampa and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience affords Progent the ability to efficiently understand important systems and integrate the surviving parts of your Information Technology system following a crypto-ransomware penetration and configure them into an operational system.
Progent's recovery team uses top notch project management tools to orchestrate the complex recovery process. Progent understands the urgency of acting rapidly and in concert with a client's management and IT team members to assign priority to tasks and to put the most important applications back online as fast as humanly possible.
Customer Story: A Successful Ransomware Penetration Restoration
A small business hired Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, possibly using algorithms exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little or no room for disruption and is one of the most profitable iterations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been online at the beginning of the attack and were destroyed. The client was evaluating paying the ransom (in excess of $200,000) and hoping for good luck, but ultimately utilized Progent.
"I cannot speak enough about the expertise Progent provided us during the most critical time of (our) businesses existence. We may have had to pay the hackers behind this attack if not for the confidence the Progent team gave us. That you were able to get our messaging and essential applications back quicker than seven days was beyond my wildest dreams. Every single expert I worked with or e-mailed at Progent was totally committed on getting us back on-line and was working all day and night on our behalf."
Progent worked together with the customer to quickly identify and assign priority to the most important services that had to be restored in order to resume departmental operations:
To start, Progent followed ransomware incident response best practices by stopping the spread and performing virus removal steps. Progent then began the work of restoring Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the customerís financials and MRP applications utilized Microsoft SQL, which requires Windows AD for security authorization to the databases.
- Windows Active Directory
- Microsoft Exchange Server
- MRP System
In less than 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then helped perform setup and hard drive recovery of critical applications. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Offline Data Files) on staff PCs in order to recover email information. A not too old off-line backup of the businesses accounting software made them able to recover these essential applications back online. Although a large amount of work was left to recover totally from the Ryuk damage, the most important systems were returned to operations quickly:
"For the most part, the production operation was never shut down and we produced all customer deliverables."
Over the following month critical milestones in the recovery process were completed in tight collaboration between Progent engineers and the customer:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were fully functional.
- A new Palo Alto 850 firewall was set up.
- Most of the user desktops were operational.
"Much of what happened during the initial response is nearly entirely a blur for me, but my management will not forget the care all of the team put in to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This event was the most impressive ever."
A likely business-ending disaster was averted through the efforts of top-tier experts, a wide array of knowledge, and tight teamwork. Although in retrospect the crypto-ransomware virus penetration described here could have been shut down with modern cyber security systems and ISO/IEC 27001 best practices, team training, and well designed incident response procedures for data protection and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get rested after we made it through the initial fire. All of you did an fabulous job, and if any of your team is around the Chicago area, a great meal is my treat!"
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Tampa a range of online monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning capability to uncover zero-day strains of crypto-ransomware that can get past legacy signature-based anti-virus solutions.
For 24-7 Tampa Crypto Removal Consulting, call Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely escape legacy signature-matching AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to automate the complete threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with government and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also assist you to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Recovery
ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables fast recovery of critical data, apps and VMs that have become lost or damaged due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FINRA, and PCI and, when necessary, can help you to restore your business-critical information. Find out more about ProSight DPS Managed Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to provide web-based control and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and debug their networking hardware such as switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always updated, copies and manages the configuration of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating complex network management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that require critical software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring and Management
ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT personnel and your assigned Progent consultant so that all looming issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.
- ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about ProSight IT Asset Management service.