Ransomware Prevention and Recovery Expertise Cambridge

Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses vulnerable to an attack. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to cause havoc. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus additional as yet unnamed malware, not only perform encryption of on-line data files but also infect most accessible system backup. Data synched to cloud environments can also be encrypted. In a poorly architected environment, this can render automatic recovery useless and basically knocks the network back to square one.

Retrieving programs and data after a ransomware intrusion becomes a race against time as the victim struggles to stop the spread, cleanup the ransomware, and resume business-critical operations. Due to the fact that crypto-ransomware requires time to move laterally throughout a network, attacks are usually launched on weekends and holidays, when penetrations typically take more time to uncover. This multiplies the difficulty of quickly assembling and orchestrating a qualified mitigation team.

Progent has a range of services for securing Cambridge enterprises from ransomware attacks. These include team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to discover and quarantine zero-day modern malware attacks. Progent in addition can provide the services of seasoned crypto-ransomware recovery consultants with the skills and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware invasion, sending the ransom demands in cryptocurrency does not ensure that distant criminals will provide the needed keys to decrypt any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The alternative is to setup from scratch the key components of your IT environment. Without access to essential data backups, this calls for a broad complement of skills, professional project management, and the ability to work non-stop until the job is complete.

For two decades, Progent has offered expert Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise affords Progent the capability to efficiently determine critical systems and re-organize the surviving components of your Information Technology environment after a crypto-ransomware attack and rebuild them into a functioning system.

Progent's recovery team deploys top notch project management applications to coordinate the complex restoration process. Progent knows the urgency of acting quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to get critical applications back on line as soon as possible.

Client Case Study: A Successful Ransomware Virus Response
A small business hired Progent after their company was crashed by Ryuk ransomware. Ryuk is thought to have been created by North Korean state hackers, possibly using techniques leaked from the United States NSA organization. Ryuk goes after specific businesses with little or no tolerance for operational disruption and is one of the most lucrative instances of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with about 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end brought in Progent.

Progent worked hand in hand the customer to quickly get our arms around and prioritize the key elements that had to be addressed to make it possible to continue business operations:

• Active Directory
• Exchange Server
• Financials/MRP

In less than two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery on essential servers. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find local OST data files (Outlook Off-Line Folder Files) on team workstations and laptops in order to recover mail information. A not too old off-line backup of the client's manufacturing systems made them able to return these required programs back on-line. Although a lot of work needed to be completed to recover totally from the Ryuk damage, essential systems were returned to operations quickly:

During the following couple of weeks important milestones in the restoration process were achieved through close cooperation between Progent team members and the customer:

• Self-hosted web applications were returned to operation with no loss of data.
• The MailStore Server exceeding four million historical messages was brought online and accessible to users.
• CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were fully operational.
• A new Palo Alto Networks 850 security appliance was installed.
• Ninety percent of the desktop computers were operational.

Conclusion
A probable business-killing disaster was evaded due to top-tier professionals, a broad array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware incident described here should have been blocked with current security solutions and NIST Cybersecurity Framework best practices, user education, and well designed security procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, removal, and file recovery.

Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware System Restoration Consulting in Cambridge
For ransomware recovery services in the Cambridge metro area, phone Progent at 800-462-8800 or go to Contact Progent.