The Cybersecurity and Infrastructure Security Agency (CISA), the nation’s cyber central, has issued a new set of recommendations for organizations to protect themselves from ransomware hijackers. Within the document, the CISA recommends organizations perform risk assessments on service providers before engaging such partners for business and technology services.
In the lengthy fact sheet, the agency details specific actions organizations can take to prevent ransomware attacks, protect confidential data and respond to ransomware-caused breaches. “All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems,” the agency said in the document, which also encourages organizations to “adopt a heightened state of awareness” in the face of ransomware offensives increasing in frequency and severity.
CISA Perspectives on Service Providers and Incident Response Providers
Why should MSSPs and MSPs care about CISA’s ransomware recommendations? The answer involves caution and opportunity.
- The Cons involve a CISA caution about service providers: In referencing cyberattacks in which MSSPs or MSPs have been the unwitting conduit for larger, more pervasive hijackings, CISA recommends that organizations assess the risk management and cyber hygiene practices of their service provider before engaging.
- The Pros involving the service provider opportunity: In the event of a ransomware attack, CISA recommends that victims “strongly consider requesting assistance from a reputable third-party incident response provider with experience in data breaches.”
How to Protect Against Ransomware Attacks
Here’s CISA’s checklist:
- Maintain offline, encrypted backups of data and regularly test your backups. Many ransomware variants attempt to find and delete or encrypt accessible backups.
- Create, maintain, and exercise a basic cyber incident response plan, resiliency plan and associated communications plan.
- Mitigate internet-facing vulnerabilities and misconfigurations to reduce risk of actors exploiting this attack surface.
- Employ best practices for use of Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors often gain initial access to a network through exposed and poorly secured remote services.
- Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices.
- Update software, including operating systems, applications, and firmware. Prioritize timely patching of critical vulnerabilities and vulnerabilities on internet-facing servers
- Ensure that devices are properly configured and security features are enabled.
- Disable or block inbound and outbound Server Message Block (SMB) Protocol and remove or disable outdated versions of SMB.
- Reduce the risk of phishing emails by enabling strong spam filters and implementing user awareness and training programs.
- Ensure antivirus and anti-malware software and signatures are up to date, implement application allow-listing, limit user and privileged accounts and deploy MFA for all services if possible.
How to Secure Sensitive and Personal Information
The CISA adds:
- Know what personal and sensitive information is stored on your systems and who has access to it.
- Store only information needed for business operations. Ensure data is properly disposed of when no longer needed.
- Identify systems where sensitive personal information is stored. Do not store sensitive or personal data on internet-facing systems.
- Encrypt sensitive information at rest and in transit.
- Implement firewalls to protect networks and systems from malicious or unnecessary network traffic.
- Consider applying network segmentation to further protect systems storing sensitive or personal information.
- Ensure your cyber incident response and communications plans include response and notification procedures for data breach incidents.
How to Respond to Ransomware-caused Data Breaches
The CISA recommends:
- Determine which systems were impacted and immediately isolate them. If several systems appear impacted, take the network offline at the switch level. If taking the network temporarily offline is not immediately possible, locate the network cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.
- If—and only if—affected devices cannot be removed from the network or the network cannot be temporarily shut down, power infected devices down to avoid further spread of the ransomware infection.
- Triage impacted systems for restoration and recovery. Prioritize based on criticality.
- Engage your internal and external teams and stakeholders to inform them of how they can help you mitigate, respond to and recover from the incident.
- If no initial mitigation actions appear possible, take a system image and memory capture of a sample of affected devices. Collect any relevant logs as well as samples of any precursor malware binaries and associated observables or indicators of compromise.
- If personal information stored on behalf of other businesses is stolen, notify these businesses of the breach.
- If the breach involved personally identifiable information, notify affected individuals so they can take steps to reduce the chance that their information will be misused.
- Report the incident to CISA, your local Federal Bureau of Investigation (FBI) field office, the FBI Internet Crime Complaint Center, or your local U.S. Secret Service office.
How to Pay Ransoms
Don't do it -- at least that's the CISA thesis.
“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered,” CISA said in the fact sheet.
