Understanding CISA’s Updated Ransomware Guide
At the end of last month, the Cybersecurity and Infrastructure Security Agency (CISA) decided to update its ransomware guide since 2020. Three years ago, the pandemic fueled a spike in work-from-home systems, assembled rather quickly without much consideration for long-term cybersecurity. Consequently, data-sensitive industries witnessed spikes in ransomware attacks as high as 123%, costing over $20 billion in downtime. Fast-forward three years, March 2023 saw a 62% increase in ransomware attacks and 459 events taking place in a span of 31 days. Unlike other cyberthreats, ransomware remains successful because it normally involves three simple steps:
- Tricking a user to expose a vulnerability – usually done through phishing
- Dropping malware into the targeted system – usually done by downloading a suspicious file
- Encrypting targeted data – usually done before a business can recognize the breach
Moreover, ransomware leverages human involvement, which is often behind 8 in 10 data breaches. As IoT systems continue to expand and welcome a mix of in-office and remote users, the risk of ransomware attacks grows. As a result, CISA updated safety recommendations to best support its response checklist.
New Prevention Recommendations to Consider
- Implement multi-factor authentication for all critical systems such as emails and VPNs.
- Deploy a credential monitoring service to track leaked credentials in the dark web.
- Deploy an Identity Access Management system to monitor and manage roles within on-premises networks and cloud applications.
- Lock out users after a few failed login attempts.
- Segment administrator accounts from user accounts.
- Disable password-saving shortcuts in your system.
- Establish a privileged access management system to prevent accidental leaks.
Revisiting CISA’s Response Checklist
Along with employee training, a proactive response tactic can help spot and remediate ransomware attacks. Just as threat actors leverage user ignorance to go by undetected, it is recommended that your response plan be covert to not arouse suspicion and retaliation. By adhering to prevention guides, businesses can expand data visibility and carefully block access points to contain future attacks. In the event of an attack, determine the affected systems and take the following actions:
- Isolate compromised systems by either taking devices offline or shutting down networks.
- Power down affected devices that cannot be removed from your network.
- Triage through affected systems to restore vital data quickly for preserved business continuity.
- Check your detection system (antivirus, EDR, Intrusion Prevention Systems) for suspicious behavior recorded prior to the attack. This can help you spot the current vulnerability gap being exploited in the attack.
- Document the attack for initial analysis.
- Hunt down threats in your enterprise and cloud environments. Working alongside a security service provider proves ideal for these tasks, especially if you are dealing with multiple endpoints in different locations.
- Loop in internal and external teams to follow reporting requirements for your industry.
- For attacks involving a verified data breach, refer to your incident response and communication plan to alert compromised parties.
- Record a snapshot of affected devices along with relevant logs and samples of precursor malware as evidence.
- Consult federal law enforcement for any available decryptors.
Read CISA’s complete, updated Ransomware Guide here.
The cybersecurity landscape will continue to evolve as new technologies, challenges, and digital weapons develop. While it is impossible to foresee every kind of danger out there, adaptable preparation is key to preventing attacks and restoring operations when they do happen. For more information on how you can best secure your data against ransomware, contact us.