Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses unprepared for an attack. Different versions of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Recent versions of ransomware such as Ryuk and Hermes, along with additional unnamed malware, not only encrypt online information but also infiltrate all available system protection. Files replicated to cloud environments can also be ransomed. In a poorly designed data protection solution, this can make any recovery hopeless and effectively sets the datacenter back to zero.
Getting back online applications and data after a crypto-ransomware attack becomes a sprint against time as the targeted business fights to stop the spread and remove the crypto-ransomware and to resume enterprise-critical operations. Because ransomware needs time to replicate, attacks are frequently launched at night, when successful attacks may take more time to notice. This multiplies the difficulty of rapidly assembling and organizing a capable response team.
Progent provides a range of services for securing businesses from ransomware attacks. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security gateways with AI technology to quickly detect and disable new threats. Progent in addition provides the assistance of veteran ransomware recovery engineers with the skills and commitment to re-deploy a breached environment as soon as possible.
Progent's Ransomware Restoration Services
After a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to unencrypt any or all of your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the essential elements of your Information Technology environment. Without access to full data backups, this calls for a wide range of skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is done.
For decades, Progent has offered certified expert Information Technology services for businesses in Ottawa and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise affords Progent the capability to rapidly understand important systems and consolidate the surviving pieces of your Information Technology system after a ransomware penetration and rebuild them into an operational network.
Progent's security group uses top notch project management applications to coordinate the complex recovery process. Progent knows the urgency of working quickly and in unison with a client's management and IT team members to assign priority to tasks and to put critical systems back on line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Virus Recovery
A client engaged Progent after their company was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly adopting techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is among the most lucrative examples of ransomware malware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago and has around 500 workers. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and hoping for good luck, but ultimately engaged Progent.
"I cannot speak enough in regards to the support Progent provided us during the most fearful period of (our) businesses survival. We had little choice but to pay the cybercriminals except for the confidence the Progent group gave us. That you were able to get our e-mail and key applications back into operation faster than a week was incredible. Each consultant I talked with or e-mailed at Progent was totally committed on getting us operational and was working 24/7 to bail us out."
Progent worked together with the client to quickly get our arms around and prioritize the essential services that had to be recovered to make it possible to continue company functions:
To begin, Progent followed Anti-virus event mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the work of bringing back online Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the client's MRP software used Microsoft SQL Server, which requires Active Directory services for access to the databases.
- Active Directory (AD)
- Microsoft Exchange
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then assisted with reinstallations and storage recovery on needed applications. All Exchange schema and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Folder Files) on team desktop computers in order to recover mail data. A not too old offline backup of the client's accounting/MRP software made it possible to recover these required services back online. Although a large amount of work still had to be done to recover fully from the Ryuk event, critical systems were recovered quickly:
"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer sales."
Throughout the following month key milestones in the restoration process were completed in tight collaboration between Progent engineers and the client:
- In-house web applications were restored with no loss of information.
- The MailStore Server exceeding four million archived messages was brought online and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory Control functions were 100% functional.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the user desktops and notebooks were back into operation.
"A huge amount of what was accomplished that first week is nearly entirely a haze for me, but we will not soon forget the dedication each of you accomplished to help get our business back. Iíve utilized Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This event was no exception but maybe more Herculean."
A likely business extinction catastrophe was avoided due to top-tier professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although in retrospect the ransomware penetration described here could have been identified and prevented with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, user education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we made it through the initial push. Everyone did an impressive effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Ottawa a range of online monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI capability to uncover zero-day variants of ransomware that are able to get past traditional signature-based anti-virus products.
For 24-Hour Ottawa Ransomware Removal Help, contact Progent at 800-993-9400 or go to Contact Progent.
- ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to automate the complete threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.
- ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP environment that meets your company's specific needs and that allows you prove compliance with legal and industry data security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate action. Progent can also help your company to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.
- ProSight Data Protection Services: Managed Backup and Disaster Recovery
ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end solution for reliable backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates your backup activities and enables rapid restoration of critical files, apps and VMs that have become lost or corrupted due to component breakdowns, software bugs, disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can provide world-class expertise to set up ProSight DPS to to comply with regulatory standards like HIPAA, FINRA, and PCI and, when necessary, can help you to restore your critical information. Read more about ProSight Data Protection Services Managed Backup.
- ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security vendors to deliver web-based control and comprehensive security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most threats from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further layer of analysis for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.
- ProSight WAN Watch: Network Infrastructure Management
ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, reconfigure and debug their networking appliances like routers and switches, firewalls, and access points as well as servers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating complex network management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, finding appliances that require critical updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.
- ProSight LAN Watch: Server and Desktop Monitoring
ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your network operating efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent consultant so all looming problems can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.
- ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.
- ProSight IT Asset Management: Network Documentation Management
ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.