Understanding CISA’s Recommendations: How to Combat Ransomware Threats

Ransomware is a type of malware that encrypts files on a device, making them and the systems that rely on them unusable. Attackers then demand a ransom in exchange for decryption. Over time, these malicious actors have evolved their tactics, sometimes even threatening to release stolen data, a strategy known as “double extortion.” This guide, an update from the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware Guide of September 2020, offers two main resources: Best Practices and a Response Checklist

Ransomware Prevention Best Practices from CISA’s #StopRansomware Guide

Ransomware is a malicious software designed to encrypt files on a device, making them and the systems they rely on unusable. Attackers then demand a ransom in exchange for decryption. Over time, these malicious actors have evolved their tactics, sometimes even stealing victim data and threatening its release, a strategy known as “double extortion.” The consequences of ransomware can be severe, affecting business processes, causing economic losses, and damaging reputations.

1. Preparation: Maintain offline, encrypted backups of critical data and test them regularly. Use “golden images” of critical systems for quick deployment in case of attacks. Consider multi-cloud solutions for backups.
2. Access Control: Implement a zero-trust architecture, ensuring granular access control. This assumes the network is compromised and aims to minimize uncertainty in access decisions.
3. Vulnerability Management: Regularly scan for vulnerabilities, especially on internet-facing devices. Patch and update software and operating systems promptly.
4. Credential Management: Implement phishing-resistant multi-factor authentication (MFA) for all services. Use strong password policies and consider using password managers. Monitor for compromised credentials on the dark web.
5. Phishing Prevention: Educate employees on identifying and reporting phishing attempts. Implement email filters to block known malicious indicators and use Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent email spoofing.
6. Malware Prevention: Use updated antivirus and anti-malware software. Some ransomware attacks are a result of existing malware infections, so detecting precursor malware is crucial.
7. For a comprehensive understanding and more detailed recommendations, refer to the original CISA StopRansomware Guide.

Ransomware Response Checklist

Based on the content from CISA’s #StopRansomware Guide, here’s a summarized ransomware response checklist:

1. Immediate Actions:
   • Isolate affected systems to prevent the spread of ransomware.
   • Secure backup data or systems by ensuring they are offline and not accessible from compromised networks.
   • Notify organizational leadership and activate the incident response team.
2. Engage with Law Enforcement:
   • Report the incident to law enforcement agencies, such as the FBI or CISA, to get assistance and guidance. (Authors’ note: Many companies are insecure about inviting the FBI or CISA in, thinking that it will open up a wider investigation of the company. This is not the case. Unless you are running a blatantly illegal operation, there is little risk and high possible benefit.)
3. Assess the Situation:
   • Determine the scope of the incident, including which systems and data are affected.
   • Identify the strain of ransomware used in the attack.
   • Check for a ransom note and follow organizational procedures on whether to engage with the threat actor.
4. Engage External Stakeholders:
   • Notify external stakeholders, such as partners, customers, or regulatory bodies, if their data is affected.
   • Engage with external cybersecurity professionals for incident response and recovery.
5. Recovery:
   • Restore systems from clean backups after ensuring the ransomware has been completely removed.
   • Validate the integrity of the restored data.
   • Implement security measures to prevent future attacks.
6. Post-Incident Activities:
   • Conduct a post-incident review to identify lessons learned and areas for improvement.
   • Update incident response and business continuity plans based on the findings.
   • Train employees on ransomware awareness and prevention.
7. Continuous Monitoring:
   • Monitor network traffic and system logs for signs of malicious activity.
   • Update and patch systems regularly.
   • Implement advanced threat detection and response solutions.

For a detailed response checklist and more information, refer to the original CISA StopRansomware Guide.

To download a PDF version of this checklist, click here.

Additional Resources:

#StopRansomware

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

• Author
• Recent Posts

Follow me

Paul Bergman

CEO at Tracc Development, Inc.

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Follow me

Latest posts by Paul Bergman (see all)

• Drive-By URLs: What are they? - July 26, 2024
• Beware of Fake CrowdStrike Fixes: A New Malware and Wiper Threat - July 25, 2024
• Ransomware targets Small and Medium-Sized Businesses - July 25, 2024