Overview of Progent's Ransomware Forensics Analysis and Reporting in Lynnwood
Progent's ransomware forensics experts can capture the system state after a ransomware attack and carry out a comprehensive forensics analysis without interfering with the processes related to operational continuity and data restoration. Your Lynnwood business can utilize Progent's post-attack forensics report to block subsequent ransomware attacks, assist in the recovery of lost data, and meet insurance carrier and regulatory requirements.
Ransomware forensics analysis involves tracking and describing the ransomware attack's storyline throughout the network from start to finish. This audit trail of how a ransomware attack travelled within the network helps your IT staff to assess the damage and uncovers weaknesses in rules or work habits that need to be corrected to prevent later breaches. Forensics is usually given a high priority by the insurance carrier and is often mandated by government and industry regulations. Since forensics can take time, it is vital that other important activities such as operational continuity are executed concurrently. Progent maintains a large team of IT and data security professionals with the knowledge and experience needed to carry out the work of containment, operational resumption, and data restoration without interfering with forensics.
Ransomware forensics is complicated and calls for close interaction with the groups focused on file restoration and, if needed, payment negotiation with the ransomware Threat Actor (TA). Ransomware forensics typically require the review of all logs, registry, Group Policy Object, Active Directory (AD), DNS servers, routers, firewalls, scheduled tasks, and core Windows systems to detect variations.
Activities associated with forensics include:
- Disconnect but avoid shutting off all potentially impacted devices from the system. This can require closing all Remote Desktop Protocol (RDP) ports and Internet connected network-attached storage, modifying admin credentials and user PWs, and implementing 2FA to protect your backups.
- Create forensically valid duplicates of all suspect devices so your file recovery team can proceed
- Save firewall, virtual private network, and other key logs as soon as feasible
- Establish the variety of ransomware used in the attack
- Examine each computer and data store on the system including cloud-hosted storage for signs of compromise
- Inventory all encrypted devices
- Determine the type of ransomware used in the attack
- Review log activity and sessions in order to establish the timeline of the attack and to spot any possible lateral migration from the originally compromised machine
- Identify the security gaps exploited to carry out the ransomware assault
- Search for new executables surrounding the original encrypted files or system breach
- Parse Outlook PST files
- Examine email attachments
- Separate URLs from messages and determine whether they are malicious
- Produce detailed attack documentation to satisfy your insurance carrier and compliance mandates
- List recommended improvements to close cybersecurity vulnerabilities and improve workflows that lower the exposure to a future ransomware breach
Progent's Background
Progent has provided remote and onsite IT services throughout the U.S. for over two decades and has earned Microsoft's Gold Partner designation in the Datacenter and Cloud Productivity practice areas. Progent's team of subject matter experts includes professionals who have earned high-level certifications in core technology platforms such as Cisco infrastructure, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned industry-recognized certifications such as CISM, CISSP, and GIAC. (Refer to Progent's certifications). Progent also offers top-tier support in financial management and ERP application software. This scope of skills gives Progent the ability to salvage and consolidate the undamaged parts of your network following a ransomware intrusion and reconstruct them rapidly into an operational network. Progent has worked with leading cyber insurance carriers like Chubb to help organizations recover from ransomware attacks.
Contact Progent about Ransomware Forensics Services in Lynnwood
To find out more information about how Progent can assist your Lynnwood business with ransomware forensics, call 1-800-462-8800 or see Contact Progent.