Overview of Progent's Ransomware Forensics and Reporting
Progent's ransomware forensics experts can capture the evidence of a ransomware attack and carry out a comprehensive forensics investigation without interfering with the processes required for operational continuity and data restoration. You can utilize Progent's post-attack ransomware forensics report to counter future ransomware assaults, assist in the recovery of encrypted data, and comply with insurance and governmental reporting requirements.
Ransomware forensics involves tracking and describing the ransomware attack's progress throughout the network from beginning to end. This history of how a ransomware assault progressed through the network assists your IT staff to assess the damage and highlights shortcomings in security policies or work habits that should be corrected to avoid future breaches. Forensic analysis is usually given a high priority by the cyber insurance carrier and is often mandated by state and industry regulations. Since forensic analysis can be time consuming, it is essential that other important recovery processes like business resumption are executed in parallel. Progent has a large roster of IT and data security professionals with the knowledge and experience needed to carry out the work of containment, operational continuity, and data recovery without interfering with forensic analysis.
Ransomware forensics is complex and requires intimate cooperation with the groups focused on data restoration and, if needed, settlement negotiation with the ransomware adversary. Forensics can involve the examination of logs, registry, Group Policy Object, Active Directory (AD), DNS, routers, firewalls, scheduled tasks, and basic Windows systems to look for variations.
Activities involved with forensics investigation include:
- Isolate without shutting off all possibly suspect devices from the system. This may involve closing all RDP ports and Internet facing NAS storage, modifying admin credentials and user passwords, and configuring two-factor authentication to secure backups.
- Capture forensically sound images of all exposed devices so the file restoration team can get started
- Save firewall, VPN, and other critical logs as soon as feasible
- Determine the kind of ransomware involved in the assault
- Survey each computer and data store on the system including cloud-hosted storage for indications of encryption
- Catalog all encrypted devices
- Establish the type of ransomware involved in the attack
- Review logs and user sessions in order to establish the time frame of the ransomware assault and to spot any potential sideways movement from the first infected machine
- Identify the attack vectors exploited to carry out the ransomware attack
- Look for the creation of executables associated with the first encrypted files or system compromise
- Parse Outlook PST files
- Examine email attachments
- Extract URLs from messages and check to see whether they are malware
- Provide comprehensive attack documentation to satisfy your insurance carrier and compliance mandates
- Suggest recommendations to shore up cybersecurity vulnerabilities and enforce processes that lower the exposure to a future ransomware breach
Progent's Qualifications
Progent has delivered remote and onsite IT services throughout the United States for more than 20 years and has been awarded Microsoft's Gold Partner certification in the Datacenter and Cloud Productivity competencies. Progent's team of SMEs includes consultants who have been awarded high-level certifications in core technologies including Cisco networking, VMware, and popular Linux distros. Progent's data security experts have earned internationally recognized certifications such as CISA, CISSP, CRISC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has guidance in financial management and Enterprise Resource Planning applications. This scope of expertise allows Progent to identify and integrate the undamaged pieces of your information system after a ransomware intrusion and reconstruct them quickly into a viable system. Progent has collaborated with top cyber insurance carriers including Chubb to assist organizations clean up after ransomware attacks.
Contact Progent about Progent's Ransomware Forensics Services
To find out more about ways Progent can help you with ransomware forensics, call 1-800-462-8800 or see Contact Progent.