[co-author: Io Jones]
On May 23, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a second edition of the #StopRansomware Guide (the Guide). The Guide, first published in September 2020, aims to help organizations reduce the risk of ransomware attacks, and it provides best practices to prevent, detect, respond to and recover from such incidents. The 2023 version contains updated guidance and best practices in the areas of initial infection vectors, cloud backups, zero trust architecture and ransomware response.
The Guide draws on operational insight from CISA, the Federal Bureau of Investigation (FBI), the National Security Agency, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), in coordination with the Joint Ransomware Task Force. The Guide aims to assist information technology professionals and others in developing effective cyber incident prevention and response policies.
Since the initial version of the Guide, ransomware concerns have only intensified. Ransomware attacks have increased in both number and impact in recent years across all sectors. Federal agencies have observed ransomware incidents in at least 14 of 16 critical infrastructure sectors, including attacks against organizations in the healthcare sector, energy sector and financial services sector. The new version of the Guide responds to the increased sophistication and frequency of ransomware attacks since the publication of the original 2020 version.
Updates in the 2023 Guide
The #StopRansomware Guide provides cyber incident detection and response information in two parts. Part 1 is dedicated to ransomware and data extortion preparation, prevention and mitigation best practices. Part 2 provides a step-by-step ransomware and data extortion response checklist for organizations responding to a ransomware attack. The Guide provides additional recommendations for preventing common initial infection vectors, updates recommendations to address cloud backups and zero trust architecture, and expands the ransomware response checklist with threat-hunting tips. More detail on each of these updates is included below.
- Common Initial Infection Vectors. The updated Guide provides new recommendations related to compromised credentials. The Guide recommends, among other things, improving password security training, implementing phishing-resistant multifactor authentication, and subscribing to credential monitoring services for the dark web to identify potential hacks.
- Cloud Backups. The Guide suggests that companies consider using a multicloud solution for backing up critical data to avoid vendor lock-in for cloud-to-cloud backups if all accounts under the same vendor are affected by an attack. The Guide cautions against using immutable storage solutions that can protect stored data without the need for a separate environment, as these solutions do not always meet compliance criteria under certain regulations.
- Zero Trust Architecture. The Guide also recommends implementing zero trust architecture, a framework for securing data and infrastructure where devices and users are not trusted by default.
- Threat-Hunting Tips. The Guide also expands the ransomware and data extortion response checklist with threat hunting tips for detection and analysis of ransomware. This expansion provides a list of specific threats or suspicious circumstances to search for during a ransomware response, including newly created accounts, anomalous VPN device logins or other suspicious logins, and signs of endpoint modifications, remote usage, or unexpected software among other system changes.
Other Useful Insights
In addition to making key cybersecurity recommendations, the Guide outlines the nature of law enforcement’s interest in a company’s investigation information. The Guide’s checklist includes a list of items (e.g., malware samples, PowerShell scripts executed on the network, bitcoin wallets used to pay the ransom) that CISA, MS-ISAC or other law enforcement agencies may request as part of a victim company’s cooperation during the incident. In our experience, the provided list is a helpful and representative outline of potential requests victim companies may receive from law enforcement agencies, such as the FBI or the U.S. Secret Service, as part of their investigations.
One thing to keep in mind for companies that are closely cooperating with law enforcement: the sensitivity or breadth of a law enforcement investigation may make it so that an agency is unable to immediately share information with a victim company in return. While this is not a reason to be uncooperative—there are many good reasons to cooperate with law enforcement, including if a company is planning to make a ransomware payment—expectations should be appropriately set for company leaders.
On the topic of ransom payment, the Guide reinforces the current position of US government agencies on whether an organization should pay ransom: the Guide-authoring organizations “do not recommend paying ransom” and provide a number of arguments against making a payment (including the potential for sanctions risk), implicitly acknowledging that organizations may have compelling arguments in favor of payment. This statement in the Guide highlights what it does not provide: a framework for how to decide whether to make a payment.
The pay/no-pay decision is complex, and cyber incident response plans should at least contemplate who will be responsible for making this decision, the requisite authority to approve a payment, and the involvement of in-house legal and outside counsel in the various stages of payment, including evaluating the legality of a payment. Many organizations go further, outlining specific questions or key decision points that inform whether a payment will be made and how. Even if an organization does not believe it will ever make a ransom payment, planning for the mechanism of payment (e.g., considering who will facilitate negotiations, how certain currencies will be obtained and transferred) is important advance planning if a company ultimately decides to pay.
Organizations looking to better protect against ransomware attacks should keep the following considerations in mind:
- Ransomware attacks have increased in number and effect in recent years, and all sectors have felt the impact of these attacks.
- The #StopRansomware Guide provides a reasonable starting point for best practices and a step-by-step checklist for responding in case of an attack.
- The 2023 update provides expanded best practices responsive to developments in the field, including new common initial infection vectors, cloud backups and zero trust architecture recommendations, and threat-hunting tips.
The agencies behind the #StopRansomware Guide also publish timely cybersecurity alerts and advisories (CISA, FBI) on an ongoing basis to keep stakeholders updated on burgeoning threats.