Overview of Progent's Ransomware Forensics and Reporting
Progent's ransomware forensics experts can preserve the system state after a ransomware assault and carry out a detailed forensics analysis without interfering with the processes required for operational resumption and data recovery. You can use Progent's post-attack ransomware forensics report to block subsequent ransomware attacks, validate the recovery of encrypted data, and comply with insurance carrier and governmental requirements.
Ransomware forensics investigation is aimed at tracking and describing the ransomware assault's storyline across the targeted network from beginning to end. This audit trail of the way a ransomware assault progressed through the network helps your IT staff to evaluate the damage and brings to light shortcomings in security policies or processes that should be rectified to avoid later breaches. Forensics is commonly assigned a top priority by the cyber insurance provider and is often required by government and industry regulations. Since forensic analysis can take time, it is essential that other important activities such as business resumption are executed concurrently. Progent has a large team of information technology and security professionals with the knowledge and experience needed to perform the work of containment, operational continuity, and data recovery without interfering with forensics.
Ransomware forensics analysis is time consuming and calls for intimate cooperation with the teams assigned to data recovery and, if needed, payment talks with the ransomware hacker. forensics typically involve the review of logs, registry, GPO, Active Directory, DNS, routers, firewalls, schedulers, and basic Windows systems to check for variations.
Activities involved with forensics investigation include:
- Isolate without shutting down all potentially suspect devices from the network. This can require closing all RDP ports and Internet facing NAS storage, modifying admin credentials and user PWs, and configuring 2FA to guard backups.
- Create forensically complete digital images of all suspect devices so the data recovery group can proceed
- Preserve firewall, VPN, and other key logs as soon as feasible
- Establish the kind of ransomware used in the attack
- Examine every computer and storage device on the system including cloud storage for indications of compromise
- Catalog all compromised devices
- Establish the type of ransomware used in the assault
- Review logs and sessions in order to establish the timeline of the ransomware attack and to identify any potential lateral movement from the first infected machine
- Identify the security gaps used to carry out the ransomware attack
- Look for new executables associated with the original encrypted files or network breach
- Parse Outlook web archives
- Examine email attachments
- Extract URLs embedded in email messages and check to see whether they are malware
- Produce extensive attack reporting to satisfy your insurance and compliance mandates
- List recommended improvements to shore up cybersecurity gaps and enforce processes that lower the risk of a future ransomware exploit
Progent has delivered online and on-premises IT services throughout the United States for more than 20 years and has earned Microsoft's Gold Partner certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced certifications in foundation technology platforms such as Cisco networking, VMware virtualization, and major distributions of Linux. Progent's data security experts have earned prestigious certifications such as CISA, CISSP-ISSAP, and GIAC. (See certifications earned by Progent consultants). Progent also offers top-tier support in financial and ERP application software. This breadth of skills allows Progent to salvage and consolidate the undamaged parts of your information system following a ransomware intrusion and rebuild them quickly into a viable network. Progent has worked with top cyber insurance carriers including Chubb to help organizations recover from ransomware attacks.
Contact Progent about Progent's Ransomware Forensics Investigation Services
To find out more about how Progent can assist your business with ransomware forensics, call 1-800-462-8800 or see Contact Progent.