author photo
By Bruce Sussman
Mon | Sep 9, 2019 | 6:30 AM PDT

What are the first things you should do when it comes to the risk of ransomware?

We've reported on great sessions about this from SecureWorld conferences across North America.

However, we also want to tell you about a first of its kind ransomware resource issued by the U.S. Department of Homeland Security.

CISA, the U.S. Cyber and Infrastructure Agency, just issued its first-ever "CISA Insights: Ransomware Outbreak" publication in an effort to get the cybersecurity best practices it knows about into the hands of the private sector.

Says CISA:

"Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike. And that’s only what we’re seeing—many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on."

CISA says it has seen a rise in ransomware attacks across the U.S., and research indicates ransomware saw a major spike during the first half of 2019.

The new publication contains a concise list of 15 things your organization can do about ransomware. Let's take a look.

Ransomware list: limiting your risk of a ransomware infection

When it comes to mitigating your organization's risk of ransomware, CISA lists the following high-level best practices:

1. Backup your data, system images, and configurations, and keep the backups offline.
2. Update and patch systems.
3. Make sure your security solutions are up to date.
4. Review and exercise your incident response plan.
5. Pay attention to ransomware events, and apply lessons learned.

Ransomware list: steps to take if hit by a cyberattack

If your organization gets hit by ransomware, we've been told by IT and cybersecurity professionals that it feels like you've been kicked in the gut and your head is spinning.

With that in mind, here are five best practices in the incident response phase of a ransomware attack, according to CISA's new list:

1. Ask for help! Contact CISA, the FBI, or the U.S. Secret Service.

A) Report a cyber incident to CISA, here.

 B) Find FBI field offices, here. Ask for the "Special Agent in charge of cybercrime."

C) Report a cyber incident to your local U.S. Secret Service office, here. The Secret Service specializes in cyber-enabled financial crimes like Business Email Compromise (BEC) and wire transfer fraud, due to longstanding relationships with the banking sector.

2. Work with an experienced advisor to recover from a cyberattack.
3. Isolate the infected systems and phase your return to operations.
4. Review the connections of any business relationships (customers, partners, vendors) that touch your network.
5. Apply business impact assessment findings to prioritize recovery
actions to secure your environment going forward.

Ransomware list: securing against a future ransomware attack

After you've survived your ransomware incident, CISA lists the following five things you can do to defend against a future ransomware attack. Many of these are cybersecurity fundamentals.

1. Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multi-factor authentication (MFA).
2. Segment your networks: make it hard for the bad guy to move around and infect multiple systems.
3. Develop containment strategies; if bad guys get in, make it hard for them to get stuff out.
4. Know your system's baseline for recovery.
5. Review disaster recovery procedures and validate goals with executives.

Ransomware tool: free decryption keys

Another fantastic tool that can help you decide whether you need to negotiate with hackers or pay the ransom is called the No More Ransom Project

It is a private-public partnership with free decryption keys for dozens of ransomware strains which are attacking networks around the world.

[RELATED: What the No More Ransom Project Accomplished in Three Years]

What if your strain of ransomware is not listed on the No More Ransom site? Before you pay the ransom, CISA asks you to consider the following:

"We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?)."

At the very least, you may want to take a page from city leaders in Valdez, Alaska; they asked hackers for a proof of concept (POC) before paying the ransom. Here is that city's story:

Ransomware_Paid_Example_Valdez_SecureWorld

[Resource PDF: CISA Insights on ransomware risk, response, and remediation]

Comments