The Cybersecurity and Infrastructure Security Agency (CISA) has published a fact sheet to help public- and private-sector organisations prevent and respond to ransomware attackers threatening to release sensitive information if a victim does not pay the ransom demanded.
Ransomware is malware designed to encrypt files on a device, rendering files and the systems that rely on them unusable. Traditionally, malicious actors demand ransom in exchange for decryption. Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful. Malicious actors increasingly exfiltrate data and then threaten to sell or leak it—including sensitive or personal information—if the ransom is not paid. These data breaches can cause financial loss to the victim organisation and erode customer trust.
All organisations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems. This fact sheet provides information for all government and private sector organisations, including critical infrastructure organisations, on preventing and responding to ransomware-caused data breaches.
Primarily, organisations must guard against falling victim to ransomware attacks. They should maintain offline, encrypted backups of data and develop and exercise plans for responding to a ransomware attack, including how they will conduct business if critical systems have been disabled.
Internet-facing vulnerabilities must be addressed, software updated, devices properly configured and remote-desktop services should be regularly audited. Spam filters and cybersecurity-awareness training will help reduce the risk of successful phishing attacks, and carefully managing privileged accounts and employing multifactor authentication will increase cyber hygiene.
Organisations that house sensitive or personal information should have an inventory of that data and ensure access to it is limited, encrypt the data, implement physical security and consider segmenting networks to increase the data’s security.
Additionally, they should have an incident response and communications plans that include procedures for data breach response and notification. If a ransomware-caused data breach occurs, organisations should turn to their response plans by first securing their networks and stopping additional data loss.
If mitigation seems impossible, victims should take a system image and memory capture of a sample of affected devices. Logs and samples of any “precursor” malware binaries and associated observables or indicators of compromise should also be collected. Forensic evidence should not be destroyed, so victims should be sure to preserve evidence that is highly volatile in nature — or limited in retention — to prevent loss or tampering. Affected organisations must notify businesses and individuals that their data has been exposed and maybe misused.
As ransomware attacks have become rampant in the U.S., The National Institute of Standards and Technology (NIST) has also published an infographic offering a series of simple tips and tactics. As reported by OpenGov Asia, this infographic can help organisations protect against ransomware attacks and recover from them if they happen.
NIST’s advice includes:
- Use antivirus software at all times — and make sure it’s set up to automatically scan your emails and removable media (e.g., flash drives) for ransomware and other malware.
- Keep all computers fully patched with security updates.
- Use security products or services that block access to known ransomware sites on the internet.
- Configure operating systems or use third-party software to allow only authorised applications to run on computers, thus preventing ransomware from working.
- Restrict or prohibit the use of personally owned devices on your organisation’s networks and for telework or remote access unless you’re taking extra steps to assure security.