Progent's Ransomware Forensics Investigation and Reporting Services
Progent's ransomware forensics consultants can save the system state after a ransomware attack and carry out a detailed forensics analysis without impeding activity required for operational resumption and data restoration. You can utilize Progent's post-attack ransomware forensics documentation to block subsequent ransomware attacks, validate the cleanup of encrypted data, and meet insurance carrier and regulatory requirements.
Ransomware forensics investigation involves tracking and documenting the ransomware assault's storyline across the network from beginning to end. This audit trail of the way a ransomware assault travelled within the network helps your IT staff to assess the damage and highlights shortcomings in security policies or processes that need to be rectified to prevent future break-ins. Forensic analysis is typically assigned a top priority by the insurance provider and is often required by government and industry regulations. Because forensic analysis can take time, it is essential that other key recovery processes such as operational resumption are performed in parallel. Progent maintains a large roster of IT and security experts with the knowledge and experience required to carry out activities for containment, business continuity, and data recovery without disrupting forensics.
Ransomware forensics analysis is time consuming and calls for intimate cooperation with the groups responsible for data restoration and, if necessary, payment negotiation with the ransomware Threat Actor. forensics typically involve the examination of logs, registry, Group Policy Object, Active Directory, DNS servers, routers, firewalls, scheduled tasks, and basic Windows systems to check for changes.
Activities involved with forensics analysis include:
- Isolate without shutting off all potentially affected devices from the system. This can involve closing all Remote Desktop Protocol (RDP) ports and Internet facing network-attached storage, changing admin credentials and user passwords, and implementing two-factor authentication to protect your backups.
- Capture forensically valid duplicates of all suspect devices so your file restoration group can proceed
- Preserve firewall, virtual private network, and additional key logs as soon as feasible
- Identify the kind of ransomware used in the assault
- Inspect every computer and data store on the network as well as cloud-hosted storage for signs of compromise
- Inventory all encrypted devices
- Determine the kind of ransomware used in the assault
- Study log activity and sessions to determine the time frame of the ransomware attack and to spot any potential sideways migration from the first infected system
- Understand the security gaps exploited to carry out the ransomware attack
- Search for new executables associated with the original encrypted files or network compromise
- Parse Outlook PST files
- Examine email attachments
- Separate any URLs from email messages and determine whether they are malware
- Provide extensive incident documentation to meet your insurance carrier and compliance requirements
- Document recommendations to close cybersecurity gaps and improve processes that reduce the exposure to a future ransomware exploit
Progent has delivered remote and on-premises IT services throughout the United States for more than 20 years and has earned Microsoft's Gold Partner designation in the Datacenter and Cloud Productivity competencies. Progent's roster of SBEs includes professionals who have been awarded advanced certifications in foundation technology platforms such as Cisco infrastructure, VMware virtualization, and popular distributions of Linux. Progent's data security experts have earned internationally recognized certifications including CISA, CISSP, and GIAC. (Refer to certifications earned by Progent consultants). Progent also has top-tier support in financial and Enterprise Resource Planning application software. This broad array of expertise gives Progent the ability to salvage and integrate the undamaged parts of your IT environment after a ransomware assault and rebuild them quickly into a viable system. Progent has worked with leading cyber insurance carriers like Chubb to help organizations clean up after ransomware assaults.
Contact Progent about Progent's Ransomware Forensics Investigation Expertise
To find out more information about how Progent can help you with ransomware forensics, call 1-800-993-9400 or visit Contact Progent.