Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for organizations unprepared for an attack. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause damage. Modern versions of ransomware like Ryuk and Hermes, along with additional as yet unnamed malware, not only encrypt on-line files but also infect most accessible system backup. Information replicated to cloud environments can also be ransomed. In a vulnerable environment, it can render automatic restoration impossible and effectively knocks the network back to zero.
Getting back on-line applications and information after a ransomware attack becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the virus and to restore enterprise-critical activity. Due to the fact that ransomware requires time to replicate, assaults are usually sprung on weekends and holidays, when penetrations tend to take longer to identify. This compounds the difficulty of quickly assembling and organizing an experienced mitigation team.
Progent provides a variety of services for protecting businesses from ransomware events. These include team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with artificial intelligence technology to quickly detect and disable zero-day cyber threats. Progent also can provide the assistance of seasoned crypto-ransomware recovery professionals with the track record and commitment to reconstruct a breached network as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed codes to decipher any or all of your information. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the essential parts of your Information Technology environment. Without the availability of full information backups, this calls for a wide complement of skill sets, well-coordinated project management, and the capability to work continuously until the job is completed.
For two decades, Progent has offered expert IT services for businesses in Charlotte and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise provides Progent the ability to rapidly understand critical systems and integrate the surviving pieces of your computer network system following a ransomware event and configure them into a functioning network.
Progent's ransomware team of experts utilizes powerful project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of working swiftly and in unison with a customerís management and IT resources to prioritize tasks and to get the most important applications back on-line as fast as humanly possible.
Business Case Study: A Successful Ransomware Incident Recovery
A client escalated to Progent after their company was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, suspected of adopting techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with little or no room for operational disruption and is among the most profitable iterations of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200,000) and hoping for the best, but in the end called Progent.
"I canít thank you enough about the expertise Progent provided us during the most stressful period of (our) companyís survival. We most likely would have paid the cybercriminals if not for the confidence the Progent experts gave us. The fact that you could get our e-mail system and essential applications back into operation sooner than one week was earth shattering. Each person I spoke to or communicated with at Progent was amazingly focused on getting us working again and was working all day and night to bail us out."
Progent worked with the client to quickly get our arms around and prioritize the mission critical elements that needed to be restored in order to restart company functions:
To start, Progent followed Anti-virus penetration mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then began the steps of recovering Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange email will not operate without Active Directory, and the customerís accounting and MRP software leveraged SQL Server, which requires Active Directory services for access to the data.
- Microsoft Active Directory
- Microsoft Exchange Server
Within 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery of needed systems. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Off-Line Data Files) on staff desktop computers in order to recover mail data. A recent offline backup of the businesses accounting/MRP systems made it possible to restore these essential services back online. Although significant work remained to recover fully from the Ryuk event, the most important services were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we did not miss any customer orders."
Over the next couple of weeks important milestones in the recovery process were achieved in close cooperation between Progent team members and the client:
- In-house web applications were restored without losing any information.
- The MailStore Server with over 4 million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely restored.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Nearly all of the user workstations were operational.
"A huge amount of what went on that first week is nearly entirely a fog for me, but I will not forget the care all of the team accomplished to give us our company back. I have been working with Progent for the past 10 years, possibly more, and every time Progent has shined and delivered as promised. This event was a Herculean accomplishment."
A likely business catastrophe was averted through the efforts of top-tier professionals, a broad spectrum of technical expertise, and tight collaboration. Although in retrospect the ransomware virus incident described here would have been identified and prevented with current cyber security systems and security best practices, staff training, and properly executed incident response procedures for information protection and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for making it so I could get rested after we made it past the most critical parts. Everyone did an incredible effort, and if anyone is visiting the Chicago area, dinner is my treat!"
To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Charlotte a range of remote monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover new variants of ransomware that can get past legacy signature-based anti-virus solutions.
For 24x7 Charlotte Ransomware Remediation Services, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the complete threat progression including protection, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services offer small and mid-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly price, ProSight DPS automates and monitors your backup processes and allows rapid restoration of critical files, apps and VMs that have become unavailable or corrupted due to hardware breakdowns, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can deliver advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can assist you to recover your business-critical information. Find out more about ProSight DPS Managed Cloud Backup and Recovery.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to provide centralized management and comprehensive security for your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of analysis for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Infrastructure Management
ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, track, enhance and debug their networking appliances like routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating appliances that need critical updates, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.
- ProSight LAN Watch: Server and Desktop Remote Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT staff and your Progent engineering consultant so that any potential issues can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Learn more about ProSight IT Asset Management service.