Progent's Ransomware Forensics Analysis and Reporting Services
Progent's ransomware forensics consultants can capture the evidence of a ransomware assault and perform a comprehensive forensics investigation without disrupting activity related to business resumption and data restoration. You can use Progent's post-attack ransomware forensics report to counter subsequent ransomware assaults, assist in the restoration of lost data, and meet insurance carrier and governmental reporting requirements.
Ransomware forensics is aimed at tracking and documenting the ransomware attack's progress throughout the targeted network from beginning to end. This audit trail of the way a ransomware attack progressed within the network assists your IT staff to assess the impact and highlights vulnerabilities in security policies or work habits that should be corrected to avoid future break-ins. Forensic analysis is usually assigned a high priority by the insurance carrier and is typically mandated by government and industry regulations. Since forensic analysis can be time consuming, it is critical that other key activities such as business resumption are pursued concurrently. Progent maintains a large team of information technology and security experts with the skills needed to perform activities for containment, business resumption, and data recovery without disrupting forensic analysis.
Ransomware forensics is time consuming and calls for close interaction with the groups responsible for file recovery and, if needed, payment negotiation with the ransomware Threat Actor (TA). Ransomware forensics can require the review of logs, registry, Group Policy Object (GPO), AD, DNS, routers, firewalls, schedulers, and basic Windows systems to look for changes.
Activities involved with forensics analysis include:
- Detach without shutting off all possibly affected devices from the system. This can involve closing all Remote Desktop Protocol (RDP) ports and Internet connected NAS storage, changing admin credentials and user passwords, and implementing two-factor authentication to guard backups.
- Copy forensically complete digital images of all suspect devices so the data recovery team can get started
- Save firewall, VPN, and other key logs as soon as possible
- Determine the version of ransomware involved in the attack
- Inspect every computer and storage device on the system as well as cloud-hosted storage for indications of encryption
- Inventory all compromised devices
- Determine the type of ransomware involved in the assault
- Review logs and sessions in order to determine the time frame of the attack and to spot any potential sideways movement from the first infected system
- Identify the attack vectors exploited to carry out the ransomware attack
- Search for new executables associated with the first encrypted files or system breach
- Parse Outlook PST files
- Analyze email attachments
- Extract URLs embedded in email messages and determine whether they are malware
- Produce comprehensive attack reporting to meet your insurance and compliance regulations
- Document recommendations to shore up security vulnerabilities and improve workflows that reduce the exposure to a future ransomware breach
Progent has delivered online and onsite IT services throughout the United States for more than 20 years and has earned Microsoft's Gold Partner designation in the Datacenter and Cloud Productivity practice areas. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in core technology platforms such as Cisco infrastructure, VMware virtualization, and major distributions of Linux. Progent's cybersecurity experts have earned internationally recognized certifications including CISA, CISSP, and GIAC. (Refer to certifications earned by Progent consultants). Progent also offers guidance in financial management and ERP software. This breadth of expertise gives Progent the ability to salvage and integrate the undamaged parts of your IT environment following a ransomware attack and reconstruct them rapidly into an operational network. Progent has collaborated with top insurance carriers including Chubb to assist businesses recover from ransomware attacks.
Contact Progent about Progent's Ransomware Forensics Investigation Expertise
To learn more information about how Progent can help your business with ransomware forensics investigation, call 1-800-462-8800 or visit Contact Progent.