Ransomware Protection and Cleanup Expertise Cambridge

Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses of all sizes unprepared for an assault. Different iterations of crypto-ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still inflict damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with daily as yet unnamed viruses, not only encrypt online information but also infiltrate any configured system restores and backups. Information synched to cloud environments can also be ransomed. In a vulnerable data protection solution, this can make automated restore operations hopeless and basically sets the network back to square one.

Retrieving programs and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to contain the damage and eradicate the ransomware and to resume mission-critical operations. Because crypto-ransomware takes time to spread, penetrations are frequently sprung on weekends and holidays, when attacks are likely to take longer to detect. This compounds the difficulty of promptly marshalling and orchestrating a qualified mitigation team.

Progent offers a range of solutions for protecting Cambridge businesses from ransomware penetrations. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with artificial intelligence technology to automatically discover and suppress zero-day cyber attacks. Progent in addition provides the services of expert ransomware recovery engineers with the skills and commitment to reconstruct a breached network as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the keys to decrypt any or all of your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to piece back together the essential elements of your IT environment. Without the availability of essential system backups, this requires a broad range of skill sets, top notch project management, and the ability to work non-stop until the job is done.

For two decades, Progent has offered professional Information Technology services for companies throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise affords Progent the skills to efficiently determine important systems and re-organize the remaining parts of your network system following a crypto-ransomware event and assemble them into an operational network.

Progent's recovery group uses powerful project management applications to orchestrate the complex recovery process. Progent knows the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to put the most important applications back on line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Restoration
A small business sought out Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored criminal gangs, suspected of adopting strategies exposed from the U.S. NSA organization. Ryuk seeks specific companies with little or no room for operational disruption and is among the most profitable instances of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200K) and praying for good luck, but in the end called Progent.

Progent worked together with the customer to quickly understand and prioritize the mission critical applications that needed to be restored to make it possible to continue business operations:

• Microsoft Active Directory
• E-Mail
• Accounting/MRP

Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery on key servers. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Offline Data Files) on team desktop computers in order to recover mail messages. A not too old offline backup of the client's accounting/ERP software made them able to restore these vital programs back available to users. Although a large amount of work remained to recover fully from the Ryuk event, critical services were restored rapidly:

Throughout the following couple of weeks critical milestones in the restoration project were completed through close collaboration between Progent team members and the client:

• Internal web sites were returned to operation with no loss of information.
• The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and available for users.
• CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were fully recovered.
• A new Palo Alto 850 firewall was set up.
• 90% of the user desktops and notebooks were fully operational.

Conclusion
A potential business-killing disaster was avoided with results-oriented professionals, a wide range of IT skills, and close teamwork. Although in hindsight the ransomware virus penetration detailed here could have been stopped with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out incident response procedures for data protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and information systems restoration.

Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware Cleanup Services in Cambridge
For ransomware cleanup consulting in the Cambridge metro area, call Progent at 800-462-8800 or see Contact Progent.