Ransomware Remediation

Our Ransomware Remediation Fireteam is ready to virtually jump into action anytime, anywhere. We have a multitude of custom applications and scripts that allows us to remediate much quicker than industry standard (average downtime is 21 days). During recovery we are also deploying proven security settings and configurations to make sure a threat actor is ejected from your network while recovering systems at the same time. We also have at our disposal our datacenter-in-a-box that we can use to host, backup, recover, and rebuild entire systems quickly and efficiently. Our Incident Response Coordinator will be the primary point of contact who will manage/architect the entire engagement from start to finish.

Click here to contact us for additional information, or call 813-463-4775 for immediate 24/7 response.

Here are some recommended steps if you find yourself in a Ransomware event.

Preserve forensic data (do not delete or erase without a backup or copy).
Contact the FBI/CISA to report the cyber crime.
1. https://us-cert.cisa.gov/forms/report
2. https://ransomware.ic3.gov/default
Disconnect backup software and determine if backups were encrypted.
1. Determine best recovery date of files.
2. DO NOT shut down a device that is known to be in the process of encryption. You may corrupt the Operating System making recovery impossible.
Determine risk :
1. Was client or staff personal/private information ex-filtrated by the threat actor?
  1. If yes, we highly recommend using a 3rd party negotiator provide negotiation services and to determine proof of life of ex-filtrated data. We can recommend a trusted partner to facilitate your negotiations.
  2. Do not contact the threat actor directly. 3rd party negotiators are skilled professionals who can lower the requested ransom significantly and/or buy time needed to assess the situation.
2. If any data is deemed unrecoverable but necessary, negotiations with the threat actor for decryption keys will be required.
Identify the ransom variant.
1. 1. Identifying the variant will help identify the threat actor. It will also help determine if the threat actor has a good history of supplying keys and how communicative/responsive they are to negotiate with.
  2. A ransom note will usually contain clues as to who the threat actor is.
  3. ConnectOn can assist with identifying the variant.
Change all passwords, personal and companywide.
1. Change the passwords to your corporate and personal banking institutions.
2. Change the passwords to utilities and any other website that hold sensitive information.
3. Change the passwords to Social Media, PayPal, Amazon etc. (any site that holds personal or credit information).
Segment your network and create filters between networks if applicable.
Enable MFA (multi factor) on systems and web services where available.
Determine admin access privileges.
1. Verify administrative access is only available to admins.
2. Regular users should not be administrators.
Deploy an EDR\XDR tool to monitor and detect anomalous activity.
Engage in Council (we can recommend a breach council specialist) if any threat actor communications are involved and/or if engaging a forensics investigation (we can also recommend a forensics firm).
Determine Patching requirements and patch all endpoints (including firewall/network devices).
Lock down VPN access and traffic if applicable.
1. Reset VPN passwords, disable VPN access.

Over 120

SUCCESSFUL