CISA, Partners Revamp Ransomware Prevention Guide

May 24, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released an updated version of their #StopRansomware Guide. The guide was initially released by CISA and MS-ISAC in 2020.

The guide was developed by the Joint Ransomware Task Force (JRTF), an interagency effort to reduce ransomware. The JRTF was established by Congress via Section 106 of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  

The #StopRansomware Guide is meant to serve as a “one-stop resource” to help organizations manage ransomware risks and understand best practices for detecting, preventing, responding, and recovering from a ransomware attack.

“Since the initial release of the Ransomware Guide in September 2020, ransomware actors have accelerated their tactics and techniques,” the updated guide states.

In order to maximize effectiveness, the agencies made a variety of changes, including adding the FBI and NSA as co-authors and incorporating #StopRansomware into the title.

In addition, the agencies updated recommendations to address zero trust and cloud backups, preventing common initial infection vectors, and expanding the ransomware response checklist with threat hunting tips. The guide’s recommendations are also now mapped to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

The guide is divided into two sections, consisting of a list of ransomware and data extortion prevention best practices and a ransomware and data extortion response checklist.

The best practices portion offers actionable tips for preventing ransomware, including maintaining offline, encrypted backups and creating an incident response plan. The prevention section is organized by common initial access vectors, such as internet-facing vulnerabilities, compromised credentials, phishing, and social engineering.

Meanwhile, the checklist provides organizations with a rough plan of navigating the incident response process.

“The authoring organizations do not recommend paying ransom,” the guide emphasizes in this section. “Paying ransom will not ensure your data is decrypted, that your systems or data will no longer be compromised, or that your data will not be leaked.”

The checklist walks organizations through detection and analysis, reporting and notification, containment and eradication, and recovery and post-incident activity.

Organizations across all sectors can leverage this resource to level-up their ransomware prevention and response efforts.