Ransomware Defense and Cleanup Expertise Lower Manhattan

Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an assault. Multiple generations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with frequent unnamed newcomers, not only do encryption of on-line information but also infect all configured system protection. Files synched to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render automated restoration impossible and basically sets the network back to zero.

Getting back online programs and information following a ransomware attack becomes a sprint against the clock as the victim tries its best to contain and remove the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to spread, attacks are often sprung at night, when successful attacks may take longer to detect. This multiplies the difficulty of quickly assembling and organizing an experienced mitigation team.

Progent provides a variety of solutions for securing Lower Manhattan enterprises from ransomware events. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat defense to detect and suppress zero-day modern malware attacks. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the track record and perseverance to rebuild a breached network as quickly as possible.

Progent's Ransomware Restoration Services
Soon after a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the codes to decrypt any or all of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to re-install the essential components of your Information Technology environment. Absent the availability of essential data backups, this requires a broad range of skills, top notch team management, and the willingness to work 24x7 until the job is complete.

For two decades, Progent has provided expert IT services for companies throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience gives Progent the capability to rapidly ascertain necessary systems and re-organize the remaining pieces of your network environment after a ransomware attack and rebuild them into a functioning network.

Progent's recovery team of experts deploys powerful project management applications to coordinate the complex restoration process. Progent knows the importance of working swiftly and together with a customer's management and IT staff to assign priority to tasks and to put the most important applications back on line as soon as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A client escalated to Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored hackers, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk targets specific businesses with little tolerance for disruption and is one of the most profitable iterations of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has around 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.

Progent worked hand in hand the customer to quickly determine and assign priority to the mission critical systems that needed to be restored in order to restart departmental operations:

• Active Directory (AD)
• E-Mail
• MRP System

Within two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then initiated rebuilding and storage recovery on the most important servers. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Off-Line Folder Files) on user desktop computers to recover email messages. A not too old offline backup of the businesses manufacturing software made them able to restore these essential programs back servicing users. Although a large amount of work still had to be done to recover fully from the Ryuk virus, critical services were recovered rapidly:

Over the following couple of weeks important milestones in the recovery process were made through tight cooperation between Progent consultants and the customer:

• In-house web applications were brought back up without losing any information.
• The MailStore Exchange Server with over four million historical emails was brought online and accessible to users.
• CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were completely restored.
• A new Palo Alto Networks 850 security appliance was installed.
• Most of the user workstations were functioning as before the incident.

Conclusion
A potential company-ending disaster was evaded through the efforts of dedicated professionals, a wide range of subject matter expertise, and close collaboration. Although in hindsight the ransomware attack described here could have been identified and disabled with modern cyber security technology and NIST Cybersecurity Framework best practices, staff training, and well designed incident response procedures for data protection and applying software patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, cleanup, and file disaster recovery.

Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware Cleanup Consulting Services in Lower Manhattan
For ransomware recovery consulting services in the Lower Manhattan metro area, call Progent at 800-462-8800 or see Contact Progent.