Ransomware Protection and Remediation Expertise Atlanta

Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an existential danger for businesses unprepared for an attack. Different versions of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause havoc. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as more unnamed malware, not only encrypt on-line information but also infiltrate many configured system restores and backups. Information synchronized to the cloud can also be encrypted. In a vulnerable data protection solution, it can make automatic restoration useless and effectively sets the datacenter back to square one.

Recovering applications and data after a crypto-ransomware event becomes a race against the clock as the targeted organization tries its best to contain, eradicate the crypto-ransomware, and restore enterprise-critical operations. Because ransomware takes time to replicate across a targeted network, penetrations are usually launched during nights and weekends, when successful penetrations may take more time to recognize. This multiplies the difficulty of rapidly marshalling and organizing a capable response team.

Progent provides an assortment of services for securing Atlanta enterprises from ransomware attacks. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's behavior-based threat protection to identify and disable day-zero malware attacks. Progent also can provide the assistance of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the needed keys to unencrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The other path is to re-install the mission-critical components of your Information Technology environment. Without the availability of full information backups, this calls for a broad range of skill sets, top notch team management, and the capability to work non-stop until the job is over.

For two decades, Progent has made available expert Information Technology services for companies across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise provides Progent the skills to rapidly ascertain important systems and organize the remaining parts of your computer network environment following a ransomware penetration and rebuild them into an operational network.

Progent's recovery group uses powerful project management tools to coordinate the complicated restoration process. Progent knows the importance of acting swiftly and in concert with a customer's management and Information Technology team members to assign priority to tasks and to get critical systems back on line as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Virus Restoration
A client contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, suspected of using techniques exposed from America's NSA organization. Ryuk goes after specific businesses with little tolerance for operational disruption and is among the most lucrative incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.

Progent worked hand in hand the client to rapidly determine and assign priority to the essential systems that had to be restored to make it possible to restart business functions:

• Active Directory
• Microsoft Exchange
• Accounting/MRP

Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery of needed applications. All Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate local OST files (Microsoft Outlook Offline Data Files) on staff workstations and laptops to recover email information. A recent off-line backup of the customer's manufacturing software made them able to recover these essential programs back on-line. Although major work remained to recover fully from the Ryuk event, the most important systems were restored rapidly:

Over the next month critical milestones in the recovery process were completed through close collaboration between Progent consultants and the client:

• In-house web sites were brought back up without losing any data.
• The MailStore Exchange Server with over 4 million archived emails was brought on-line and available for users.
• CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully functional.
• A new Palo Alto 850 firewall was set up.
• Most of the user desktops were functioning as before the incident.

Conclusion
A potential business extinction disaster was dodged through the efforts of dedicated experts, a wide array of knowledge, and close collaboration. Although in hindsight the ransomware virus incident detailed here would have been identified and stopped with modern security technology solutions and recognized best practices, user and IT administrator education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and file recovery.

Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware Recovery Expertise in Atlanta
For ransomware system recovery expertise in the Atlanta metro area, phone Progent at 800-462-8800 or visit Contact Progent.