Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that represents an enterprise-level danger for businesses unprepared for an attack. Versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as daily unnamed newcomers, not only encrypt on-line information but also infiltrate many configured system backup. Data replicated to cloud environments can also be rendered useless. In a vulnerable system, this can render any restore operations impossible and effectively knocks the entire system back to zero.

Restoring services and data after a ransomware intrusion becomes a sprint against the clock as the victim struggles to stop the spread, clear the ransomware, and restore mission-critical activity. Due to the fact that ransomware needs time to move laterally throughout a targeted network, assaults are usually launched during nights and weekends, when successful penetrations tend to take more time to notice. This compounds the difficulty of quickly mobilizing and organizing a capable mitigation team.

Progent makes available an assortment of solutions for securing Louisville organizations from ransomware attacks. Among these are team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat defense to identify and disable day-zero modern malware assaults. Progent in addition can provide the services of veteran ransomware recovery professionals with the talent and commitment to re-deploy a compromised system as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware invasion, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to unencrypt any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The other path is to setup from scratch the essential components of your Information Technology environment. Without access to complete system backups, this requires a broad complement of skills, top notch project management, and the ability to work continuously until the task is finished.

For twenty years, Progent has made available professional Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the capability to efficiently understand necessary systems and re-organize the surviving parts of your IT system after a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts deploys best of breed project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working quickly and in concert with a client's management and IT team members to assign priority to tasks and to put the most important systems back online as soon as possible.

Customer Case Study: A Successful Ransomware Virus Recovery
A customer hired Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean government sponsored hackers, possibly adopting algorithms exposed from America's NSA organization. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most lucrative examples of ransomware viruses. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has about 500 workers. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end brought in Progent.


"I cannot thank you enough about the support Progent gave us during the most stressful time of (our) company's existence. We most likely would have paid the Hackers except for the confidence the Progent experts gave us. The fact that you could get our e-mail and critical servers back into operation sooner than one week was amazing. Every single expert I interacted with or communicated with at Progent was amazingly focused on getting our company operational and was working 24/7 on our behalf."

Progent worked hand in hand the customer to quickly get our arms around and prioritize the key services that needed to be recovered in order to restart business functions:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent followed AV/Malware Processes penetration response industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the process of rebuilding Microsoft AD, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the customer's accounting and MRP system leveraged SQL Server, which needs Windows AD for authentication to the information.

In less than two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed setup and hard drive recovery on needed systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Off-Line Data Files) on user PCs and laptops to recover email information. A not too old offline backup of the customer's financials/ERP software made it possible to return these essential applications back servicing users. Although a large amount of work was left to recover completely from the Ryuk event, essential services were returned to operations quickly:


"For the most part, the assembly line operation survived unscathed and we made all customer orders."

During the next month key milestones in the restoration project were completed through tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million historical messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • 90% of the user desktops and notebooks were being used by staff.

"So much of what occurred that first week is nearly entirely a haze for me, but our team will not forget the care each of the team accomplished to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A potential business-ending catastrophe was dodged by dedicated experts, a wide range of technical expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware incident described here would have been disabled with advanced security systems and best practices, staff education, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we made it past the initial push. Everyone did an amazing job, and if anyone is in the Chicago area, a great meal is the least I can do!"

Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Contact Progent for Ransomware Cleanup Services in Louisville
For ransomware system restoration expertise in the Louisville area, call Progent at 800-462-8800 or go to Contact Progent.


© 2002-2025 Progent Corporation. All rights reserved.