The Cybersecurity and Infrastructure Security Agency for the first time since 2020 released an updated version of #StopRansomware, in partnership with the FBI, National Security Agency and the Multi-State Information Sharing and Analysis Center.
The updated guide, developed through the Joint Ransomware Task Force, reflects lessons learned over the last few years, adding the FBI and NSA as co-authors for the first time. It offers recommendations to prevent initial intrusion as well as steps to protect data using cloud backups.
“Over the past year, the Joint Ransomware Task Force has brought together expertise, capabilities, and resources across the federal government and our partners to more effectively understand and address ransomware campaigns targeting American organizations,” Eric Goldstein, executive assistant director for CISA, said via email.
The agencies updated the guide to help organizations reduce the prevalence and impact of ransomware incidents, Goldstein said.
Ransomware activity has evolved since 2020, as a number of key changes have led to a reduced bar to entry for threat actors, according to Theodore Sayers, director of intelligence and incident response at MS-ISAC.
“Commercialization of ransomware via ransomware as a service models are allowing unsophisticated or non-technical actors to enter the arena,” Sayers said.
The guide also incorporates tactical changes made by threat actors in recent years, including the increased use of double-extortion techniques and data exfiltration in ransomware attacks.
It includes a comprehensive list of best practices to defend against attacks, including:
- Maintain offline, encrypted backups of critical data and regularly test those backups in a simulation of disaster recovery. This should include “golden images” of critical systems, including preconfigured operating systems and associated applications.
- Develop, maintain and practice a basic cyber incident response plan for ransomware and data breaches. This should include a communications plan, including disclosure notifications to government authorities.
The guide also includes a comprehensive set of measures to prevent and mitigate ransomware and data extortion, including:
- Conduct regular scanning to identify and address vulnerabilities, particularly on internet facing devices.
- Regularly patch and update software and operating systems to the latest versions.
- Make sure all on premises, cloud services, mobile and bring your own devices are properly configured and security features are enabled.
- Implement phishing-resistant multifactor authentication.
- Enforce lockout policies after a certain number of failed login attempts.
The guide suggests creating illustrated guides that provide detailed information about data flows inside an organization. This will help incident responders understand which systems to focus on during an attack.
The guide also has email and phone contact information for key federal agencies to contact during an attack.