Understanding CISA’s Recommendations: How to Combat Ransomware Threats
Ransomware is a type of malware that encrypts files on a device, making them and the systems that rely on them unusable. Attackers then demand a ransom in exchange for decryption. Over time, these malicious actors have evolved their tactics, sometimes even threatening to release stolen data, a strategy known as “double extortion.” This guide, an update from the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware Guide of September 2020, offers two main resources: Best Practices and a Response Checklist
![](https://i0.wp.com/www.paulbergman.org/wp-content/uploads/2023/09/ransomware-process-diagram-1024x240.png?resize=640%2C150&ssl=1)
Ransomware Prevention Best Practices from CISA’s #StopRansomware Guide
Ransomware is a malicious software designed to encrypt files on a device, making them and the systems they rely on unusable. Attackers then demand a ransom in exchange for decryption. Over time, these malicious actors have evolved their tactics, sometimes even stealing victim data and threatening its release, a strategy known as “double extortion.” The consequences of ransomware can be severe, affecting business processes, causing economic losses, and damaging reputations.
- Preparation: Maintain offline, encrypted backups of critical data and test them regularly. Use “golden images” of critical systems for quick deployment in case of attacks. Consider multi-cloud solutions for backups.
- Access Control: Implement a zero-trust architecture, ensuring granular access control. This assumes the network is compromised and aims to minimize uncertainty in access decisions.
- Vulnerability Management: Regularly scan for vulnerabilities, especially on internet-facing devices. Patch and update software and operating systems promptly.
- Credential Management: Implement phishing-resistant multi-factor authentication (MFA) for all services. Use strong password policies and consider using password managers. Monitor for compromised credentials on the dark web.
- Phishing Prevention: Educate employees on identifying and reporting phishing attempts. Implement email filters to block known malicious indicators and use Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent email spoofing.
- Malware Prevention: Use updated antivirus and anti-malware software. Some ransomware attacks are a result of existing malware infections, so detecting precursor malware is crucial.
- For a comprehensive understanding and more detailed recommendations, refer to the original CISA StopRansomware Guide.
Ransomware Response Checklist
Based on the content from CISA’s #StopRansomware Guide, here’s a summarized ransomware response checklist:
- Immediate Actions:
- Isolate affected systems to prevent the spread of ransomware.
- Secure backup data or systems by ensuring they are offline and not accessible from compromised networks.
- Notify organizational leadership and activate the incident response team.
- Engage with Law Enforcement:
- Report the incident to law enforcement agencies, such as the FBI or CISA, to get assistance and guidance. (Authors’ note: Many companies are insecure about inviting the FBI or CISA in, thinking that it will open up a wider investigation of the company. This is not the case. Unless you are running a blatantly illegal operation, there is little risk and high possible benefit.)
- Assess the Situation:
- Determine the scope of the incident, including which systems and data are affected.
- Identify the strain of ransomware used in the attack.
- Check for a ransom note and follow organizational procedures on whether to engage with the threat actor.
- Engage External Stakeholders:
- Notify external stakeholders, such as partners, customers, or regulatory bodies, if their data is affected.
- Engage with external cybersecurity professionals for incident response and recovery.
- Recovery:
- Restore systems from clean backups after ensuring the ransomware has been completely removed.
- Validate the integrity of the restored data.
- Implement security measures to prevent future attacks.
- Post-Incident Activities:
- Conduct a post-incident review to identify lessons learned and areas for improvement.
- Update incident response and business continuity plans based on the findings.
- Train employees on ransomware awareness and prevention.
- Continuous Monitoring:
- Monitor network traffic and system logs for signs of malicious activity.
- Update and patch systems regularly.
- Implement advanced threat detection and response solutions.
For a detailed response checklist and more information, refer to the original CISA StopRansomware Guide.
To download a PDF version of this checklist, click here.
Additional Resources:
#StopRansomware
Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.
- Drive-By URLs: What are they? - July 26, 2024
- Beware of Fake CrowdStrike Fixes: A New Malware and Wiper Threat - July 25, 2024
- Ransomware targets Small and Medium-Sized Businesses - July 25, 2024