Content, Content

CISA Fact Sheet: How to Prevent, Mitigate Ransomware Attacks

Credit: CISA

The Cybersecurity Infrastructure and Security Agency’s (CISA) National Cyber Investigative Joint Task Force (NCIJTF) has released a data fact sheet offering information on how to prevent and mitigate ransomware attacks.

The document, entitled Ransomware: What It Is & What To Do About It, was developed by a cross section of 15 government agencies to increase public awareness. It zooms in on ransomware threats to emergency services; state, local, tribal, and territorial governments; and, critical infrastructure facilities. “These types of attacks can delay a police or fire department’s response to an emergency or prevent a hospital from accessing lifesaving equipment,” the task force said.

The fact sheet’s intention is multifaceted: Educate the public on ways to prevent ransomware attacks, improve law enforcement coordination and response to a ransomware attack and detail whole-of-government actions that “impose consequences against the criminals engaged in this malicious activity,” the task force said. In addition to informing organizations on the techniques ransomware bad actors deploy to hijack victims’ systems--phishing, remote desktop protocol vulnerabilities and software weaknesses--the document also offers a set of best practices, ransomware’s impact on the public sector, and recommended responses.

Best practices:

  • Backup data, system images and configurations, test backups and keep backups offline.
  • Use multi-factor authorization.
  • Update and patch systems.
  • Check that security systems are current.
  • Review and exercise incident response plan.

Impact on public sector:
Without naming names, the task force pointed to three ransomware attacks that hit government facilities, including the victims' responses:

  • A Ryuk attack on a county’s systems that took down almost the entire infrastructure. The county paid a $132,000 ransom.
  • A Robbinhood ransomware hit on a U.S. city’s systems in which the $76,000 ransom was not paid but cost some $9 million to repair.
  • A Ryuk attack on another county's network in which the hackers demanded roughly $1.2 million for a decryption key. Officials declined to pay the ransom and instead paid out $1 million for new equipment and technical assistance to rebuild their systems.

“It is difficult to calculate the total impact/costs of a ransomware infection,” the task force said. “In addition, paying a ransom does not guarantee that stolen sensitive data will not be sold on the dark web.” Here's MSSP Alert's coverage of Ryuk attacks on public sector organizations and other targets.

Ransom payments:

  • The FBI doesn’t encourage paying ransoms. The law enforcement agency believes that meeting ransom demands can embolden adversaries to target additional organizations, encourages ransomware distribution, funds illicit activities and doesn’t guarantee the victim’s files will be recovered.
  • Irrespective of whether an organization pays a ransom, the FBI is urging victims to report a cyber extortion attempt either to a local field office or the agency’s Internet Crime Complaint Center. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law and prevent future attacks,” the Bureau said.

Preceding the NCIJTF’s ransomware info sheet, in late January CISA rolled out a public awareness initiative called the Reduce the Risk of Ransomware Campaign. The plan is to launch a “focused, coordinated and sustained effort” to urge public and private sector organizations to implement best practices, and the tools and resources needed to mitigate cybersecurity risk and threats, CISA said.

“CISA is committed to working with organizations at all levels to protect their networks from the threat of ransomware,” Brandon Wales, CISA Acting Director, said at the time. “This includes working collaboratively with our public and private sector partners to understand, develop and share timely information about the varied and disruptive ransomware threats,” he said. “Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.