Overview of Progent's Ransomware Forensics Analysis and Reporting in Ontario
Progent's ransomware forensics consultants can capture the system state after a ransomware assault and carry out a comprehensive forensics investigation without interfering with activity required for operational resumption and data restoration. Your Ontario organization can use Progent's post-attack ransomware forensics documentation to combat future ransomware attacks, validate the restoration of encrypted data, and comply with insurance and governmental mandates.
Ransomware forensics is aimed at determining and documenting the ransomware attack's progress throughout the network from beginning to end. This audit trail of how a ransomware assault travelled through the network helps you to assess the damage and uncovers weaknesses in security policies or processes that should be rectified to avoid future breaches. Forensics is typically assigned a high priority by the cyber insurance carrier and is typically required by state and industry regulations. Since forensics can be time consuming, it is essential that other key activities like business resumption are pursued concurrently. Progent maintains an extensive roster of IT and cybersecurity professionals with the skills required to carry out the work of containment, business resumption, and data recovery without disrupting forensic analysis.
Ransomware forensics investigation is complex and requires intimate cooperation with the teams focused on file recovery and, if needed, settlement negotiation with the ransomware Threat Actor (TA). forensics can involve the review of all logs, registry, Group Policy Object (GPO), Active Directory, DNS servers, routers, firewalls, scheduled tasks, and basic Windows systems to detect changes.
Activities associated with forensics investigation include:
- Detach but avoid shutting down all potentially suspect devices from the network. This may involve closing all Remote Desktop Protocol (RDP) ports and Internet facing NAS storage, modifying admin credentials and user PWs, and implementing 2FA to guard your backups.
- Create forensically complete images of all suspect devices so the file recovery group can get started
- Preserve firewall, VPN, and other critical logs as quickly as feasible
- Determine the kind of ransomware used in the attack
- Survey every computer and storage device on the network including cloud-hosted storage for indications of compromise
- Catalog all compromised devices
- Establish the type of ransomware used in the attack
- Study log activity and sessions to establish the timeline of the attack and to identify any potential sideways movement from the first compromised system
- Identify the attack vectors exploited to carry out the ransomware attack
- Look for the creation of executables associated with the original encrypted files or system compromise
- Parse Outlook PST files
- Examine attachments
- Extract any URLs from email messages and check to see whether they are malicious
- Produce detailed incident documentation to meet your insurance and compliance mandates
- Suggest recommended improvements to close security gaps and improve processes that reduce the exposure to a future ransomware exploit
Progent's Background
Progent has provided remote and onsite IT services throughout the U.S. for more than 20 years and has been awarded Microsoft's Gold Partner certification in the Datacenter and Cloud Productivity practice areas. Progent's roster of SMEs includes consultants who have earned advanced certifications in core technology platforms including Cisco networking, VMware, and major Linux distros. Progent's data security consultants have earned industry-recognized certifications including CISM, CISSP, and CRISC. (See Progent's certifications). Progent also has guidance in financial management and ERP software. This scope of skills allows Progent to salvage and integrate the surviving pieces of your information system following a ransomware intrusion and reconstruct them quickly into a viable network. Progent has collaborated with leading insurance providers including Chubb to help businesses recover from ransomware assaults.
Contact Progent about Ransomware Forensics Analysis Expertise in Ontario
To learn more about how Progent can assist your Ontario organization with ransomware forensics analysis, call 1-800-462-8800 or visit Contact Progent.