The Tetra incident response team breaks the mold. We focus on your needs as opposed to stringent, cumbersome protocol. We customize and triage your priorities to get you back on track faster. In times of crisis, we provide unique insight and intel — giving you clarity when the unthinkable happens.
No matter where you are, we can get to work remotely right away. We prefer getting to work on the incident rather than spending time and money to travel to you. Our active incident response services are available as soon as we’re called to action.
We prioritize restoration in tandem with the investigation in order to limit downtime and losses. Our team of experienced IT professionals, former law enforcement, and Digital Forensics experts offer well-rounded protection to remediate the incident.
We understand how stressful and complex incidents can be – that’s why we take pride in clear, straightforward communication from start to finish. We prepare a clear, current summary of our research and keep you informed of our efforts, tools, and recommendations every step of the way.
When your organization encounters a situation requiring swift and thorough action, our Incident Response team is there to help. No matter the root cause of attack, our responders offer trusted insights against these vulnerabilities:
When a Managed Service Provider (MSP) is a victim of cybercrime, the scope of damage can be vast. Most MSPs are using Remote Management and Monitoring (RMM) tools to allow them to provide quick and effective service remotely, instead of needing to get an employee on-site for every little fix. These tools, and their function as Remote Access Tools (RATs) in particular, means that if a cyber criminal gains full access to the MSP’s RMM tool, the threat actor can have full access to every system for every client. Last year, we assisted an MSP that was the victim of cybercrime.
In this particular case, the ransomware known as “Gandcrab” was deployed to all managed systems through one of the MSP’s RMMs.
Unfortunately, all managed systems included every client production machine, every client backup server, all machines owned and operated by the MSP for their internal use, and their servers hosting remote copies of backups.
There were 36 affected clients that needed help, and every single one was down. The MSP simply didn’t have enough manpower to assist every client and was so over-worked that they had to turn off their main phone line.
After reviewing a list of clients affected by the ransomware, Tetra made the decision that we needed to engage each client individually to most efficiently remediate the problem. This allowed Tetra to get a deep understanding of each client’s setup, needs, and most critical systems. It also allowed Tetra to break the clients up into groups and assign both its employees and the MSP’s employees as the primary leads, letting the strengths of each team member work best with the unique situations of each client. Additionally, scoping each client individually allowed for rapid assessment of how many machines truly needed decryption, which gave Tetra substantial leverage in negotiating a potential ransom payment.
For some clients, the solution was simple. For more complicated clients, it could’ve taken hours to manually identify each key encrypting data on a critical system. For those clients, Tetra turned to its development team:
In less than an hour, Tetra’s developers wrote custom software to automatically identify all encryption keys on all critical systems. This dramatically reduced both Digital Forensics and Incident Response team member billable hours and the amount of time it took come to a conclusion on how many keys need to be negotiated for.
While the cyber criminal may identify thousands of keys, our programming determined only the critical keys needed. Tetra was able to keep ransom payment costs to a minimum, and helped each individual client get back up and running.
https://tetradefense.com/wp-content/uploads/2021/05/CauseEffect_SunCrypt.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-05-03 11:17:462021-05-03 11:24:05Cause and Effect: SunCrypt Ransomware Analysis
https://tetradefense.com/wp-content/uploads/2020/11/CauseEffect_WastedLocker.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-11-17 16:58:002021-06-08 18:14:04Cause and Effect: WastedLocker Ransomware Analysis
https://tetradefense.com/wp-content/uploads/2020/05/Cause-and-Effect-Uni-C.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-05-15 15:30:002020-06-24 13:55:51Cause and Effect: When a University Falls Victim To Ransomware
https://tetradefense.com/wp-content/uploads/2020/05/Cause-Effect-Surveil-.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-05-05 13:09:092021-06-08 18:08:17Cause and Effect: Sodinokibi Ransomware Analysis
https://tetradefense.com/wp-content/uploads/2020/04/Cause-and-Effect-Case-StudiesC-2.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-04-14 13:46:002020-06-29 15:33:40Cause and Effect: When a Managed Service Provider (MSP) Falls Victim to RansomwareNathan and his team specialize in putting a stop to ongoing incidents, finding the root cause of security incidents, and determining the exact actions of malware and attackers. His leadership helps drastically lower the volume of data that needs to be included in breach notifications using forensic artifacts left behind on the network, servers, and devices involved. Some of the most common cases Nathan’s team encounters are related to HIPAA security incident investigations, business email compromise, financial data theft, insider threat investigations, employee data theft, wire transfer fraud, and more. Nathan’s unique experience writing digital forensics and data recovery software allows him and his team to find and recover data and forensic artifacts that may otherwise go unfound.
https://tetradefense.com/wp-content/uploads/2021/04/ST_Nate.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2021-04-16 11:40:362021-04-16 11:40:38Stronger Together: Meet Nate Butler
https://tetradefense.com/wp-content/uploads/2020/12/ST_Seth.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-12-21 15:54:232020-12-21 15:54:25Stronger Together: Meet Seth Hopwood
https://tetradefense.com/wp-content/uploads/2020/11/ST_Max.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-11-23 07:47:002020-11-19 11:53:54Stronger Together: Meet Maximillian Milovets
https://tetradefense.com/wp-content/uploads/2020/11/Amanda_ST.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-11-06 08:49:002020-11-06 09:51:20Stronger Together: Meet Amanda Robinson
https://tetradefense.com/wp-content/uploads/2020/09/David-ST.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-09-07 07:45:002020-09-09 10:10:25Stronger Together: Meet David Kruse
https://tetradefense.com/wp-content/uploads/2020/08/ST_Cody.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-08-25 08:00:002020-08-24 16:58:36Stronger Together: Meet Cody Dorn
https://tetradefense.com/wp-content/uploads/2020/07/Cindy-Murphy.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-08-03 12:32:512020-08-03 12:32:52Stronger Together: Meet Cindy Murphy
https://tetradefense.com/wp-content/uploads/2020/07/Wes.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-07-14 12:53:062020-07-14 12:53:06Stronger Together: Meet Wesley Gill
https://tetradefense.com/wp-content/uploads/2020/07/Trentin.png
675
1200
Marlene Jones
https://www.tetradefense.com/wp-content/uploads/2019/12/Web_Orange_White_sized-300x97.png
Marlene Jones2020-07-03 08:05:002020-07-01 16:27:06Stronger Together: Meet Trentin ThomasThere are different trends, threats, and vulnerabilities we see that can correlate to certain industries. Here are our most recent considerations our Incident Response team takes into account when handling new cases — and when considering possible vulnerabilities based on industry.
Given the nature of HIPAA and other regulations that are required of healthcare organizations, the data is especially valuable to threat actors. Clients and patients require a higher, more regulated level of discretion when it comes to medical history and outcomes — which makes this data more costly to retrieve from the wrong hands. If a healthcare organization faces a data breach, it is estimated to cost them an average of $429 per record lost. With such a high return on investment, threat actors specifically target these organizations despite the critical healthcare they provide.
Cybersecurity for the education industry is a unique challenge. Threat actors focus on the most valuable, most protected data to extort. Institutions such as universities and research facilities (as one often accompanies the other) have always been at high risk of attacks. Higher education institutions face difficult security challenges oftentimes based on physical location — thousands of students from all over the state, country, or even the globe are not often on one campus. The data that many universities are required to have and to secure is as valuable to threat actors, and when students study from larger distances, or even bring their own personal devices to a school’s network, the data is more available to the wrong people.
Manufacturing organizations prove to be especially critical if faced with a cyberattack — there comes the added challenge of somehow remaining open for business even if technical infrastructure is compromised. This is made even more complex by the upcoming CMMC requirements that may soon apply to many manufacturing organizations. In the past, manufacturing organizations didn’t face as severe a threat from cyberattacks as other domains. Sensitive information stored by education and healthcare organizations often proved more lucrative targets. Now, due to the modern, connected nature of the Internet of Things (IoT) that ties several organizations together in a clear hierarchy, threats are more persistent than they have been in the past. Threat actors seek either money or disruption through stealing intellectual property, affecting productivity, or simply tarnishing the reputation of an organization.