Ransomware Filtering and Remediation Solutions Cambridge

Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that poses an existential threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and still inflict havoc. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus frequent unnamed newcomers, not only encrypt online data but also infect any configured system protection. Data synchronized to off-premises disaster recovery sites can also be corrupted. In a poorly designed system, this can make any restore operations useless and basically knocks the network back to square one.

Getting back services and information following a crypto-ransomware attack becomes a sprint against the clock as the victim fights to contain the damage, clear the ransomware, and restore mission-critical operations. Because ransomware requires time to replicate throughout a network, assaults are often sprung on weekends and holidays, when penetrations in many cases take longer to uncover. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.

Progent provides a variety of support services for protecting Cambridge enterprises from ransomware attacks. Among these are user education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat defense to discover and quarantine day-zero malware assaults. Progent in addition can provide the services of seasoned ransomware recovery professionals with the track record and commitment to re-deploy a compromised environment as urgently as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The alternative is to piece back together the mission-critical parts of your Information Technology environment. Without access to complete information backups, this requires a wide complement of skill sets, professional team management, and the willingness to work continuously until the job is done.

For decades, Progent has offered expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise provides Progent the capability to knowledgably determine important systems and consolidate the remaining components of your computer network environment following a ransomware attack and rebuild them into an operational network.

Progent's recovery team deploys powerful project management systems to orchestrate the complex restoration process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get key applications back online as soon as possible.

Customer Case Study: A Successful Ransomware Virus Response
A business contacted Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the United States NSA organization. Ryuk attacks specific organizations with little room for disruption and is one of the most profitable iterations of crypto-ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago with around 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately made the decision to use Progent.

Progent worked with the customer to rapidly determine and prioritize the mission critical areas that had to be addressed to make it possible to continue company functions:

• Active Directory (AD)
• Microsoft Exchange Server
• Accounting/MRP

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery of mission critical applications. All Microsoft Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate local OST files (Outlook Offline Folder Files) on team PCs in order to recover email information. A not too old offline backup of the customer's financials/ERP systems made them able to return these required services back online for users. Although a lot of work remained to recover fully from the Ryuk virus, core systems were returned to operations rapidly:

During the next couple of weeks critical milestones in the restoration project were made in tight collaboration between Progent consultants and the client:

• Internal web sites were restored with no loss of data.
• The MailStore Exchange Server with over four million archived messages was brought online and available for users.
• CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% recovered.
• A new Palo Alto Networks 850 security appliance was installed.
• Ninety percent of the user desktops were fully operational.

Conclusion
A likely business extinction catastrophe was evaded through the efforts of dedicated experts, a broad spectrum of technical expertise, and close teamwork. Although upon completion of forensics the ransomware virus attack described here should have been identified and disabled with up-to-date cyber security systems and security best practices, staff training, and properly executed security procedures for data protection and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and file restoration.

Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware Recovery Consulting Services in Cambridge
For ransomware recovery consulting services in the Cambridge area, call Progent at 800-462-8800 or go to Contact Progent.