Ransomware Defense and Restoration Services Lower Manhattan

Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as additional as yet unnamed malware, not only do encryption of on-line information but also infect all available system protection. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can make any restore operations hopeless and basically knocks the network back to zero.

Restoring services and information following a ransomware event becomes a race against time as the victim struggles to contain and eradicate the virus and to resume business-critical operations. Because ransomware requires time to replicate, penetrations are usually launched during nights and weekends, when successful attacks may take longer to notice. This multiplies the difficulty of promptly marshalling and coordinating a qualified response team.

Progent makes available a variety of help services for securing Lower Manhattan enterprises from ransomware attacks. These include staff education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat defense to discover and suppress zero-day malware assaults. Progent also offers the services of seasoned ransomware recovery consultants with the track record and commitment to re-deploy a compromised network as soon as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the keys to decipher all your data. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The fallback is to setup from scratch the mission-critical parts of your IT environment. Absent access to essential information backups, this requires a wide complement of skills, top notch project management, and the willingness to work continuously until the task is over.

For decades, Progent has offered certified expert IT services for businesses throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise provides Progent the capability to knowledgably identify critical systems and organize the remaining parts of your IT environment following a ransomware attack and assemble them into a functioning system.

Progent's security team deploys state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and together with a customer's management and Information Technology staff to assign priority to tasks and to put essential systems back on-line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A small business sought out Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state criminal gangs, suspected of using approaches exposed from the U.S. NSA organization. Ryuk attacks specific companies with limited room for disruption and is among the most lucrative examples of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago and has around 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the beginning of the attack and were encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and praying for good luck, but ultimately engaged Progent.

Progent worked with the customer to rapidly determine and prioritize the mission critical systems that needed to be recovered to make it possible to resume business functions:

• Microsoft Active Directory
• Electronic Mail
• Financials/MRP

Within two days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then assisted with setup and hard drive recovery of mission critical systems. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Data Files) on team desktop computers to recover email data. A recent offline backup of the businesses accounting systems made them able to restore these required applications back on-line. Although a lot of work remained to recover fully from the Ryuk event, core services were returned to operations rapidly:

Throughout the next couple of weeks key milestones in the recovery project were completed in close cooperation between Progent engineers and the client:

• Internal web applications were returned to operation without losing any information.
• The MailStore Microsoft Exchange Server containing more than four million historical messages was restored to operations and available for users.
• CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were completely recovered.
• A new Palo Alto 850 firewall was brought online.
• Ninety percent of the user PCs were fully operational.

Conclusion
A likely business disaster was dodged by top-tier professionals, a wide range of IT skills, and close teamwork. Although in retrospect the ransomware virus penetration described here should have been shut down with current security systems and security best practices, user and IT administrator education, and well thought out security procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, remediation, and information systems restoration.

Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware Cleanup Consulting Services in Lower Manhattan
For ransomware recovery consulting services in the Lower Manhattan area, phone Progent at 800-462-8800 or visit Contact Progent.