On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Multi-State Information Sharing and Analysis Center (“MS-ISAC”) released a joint guide synthesizing best practices to prevent and respond to ransomware. This guide was published the day before OFAC and FinCEN released their coordinated guidance on ransomware attacks that we previously summarized here.
Ransomware is malware that encrypts data on a victim’s device, thus rendering the data inaccessible, until a ransom is paid in exchange for decryption. Both the nature and scope of ransomware incidents have become “more destructive and impactful” in recent years. In particular, tactics of malicious actors include threatening to release stolen data or publicly naming victims as part of the extortion. Accordingly, the guide encourages organizations to take proactive efforts to manage risks posed by ransomware and recommends a coordinated response to mitigate its impact.
The guide is divided into two parts. First, the guide focuses on best practices for ransomware prevention, focusing on the common infection vectors—misconfigurations, internet-facing vulnerabilities, phishing, precursor malware infection, third party sources, and managed service providers. For example, threat actors often gain access to an organization’s network through exposed or insecure remote desktop services. Employing best practices for use of remote desktop protocol (“RDP”), closing unused RDP ports on firewalls, and tracking RDP login attempts are few of the recommended risk-mitigating exercises. This part also outlines general best practices for cyber hygiene, including employing multi-factor authentication, implementing the principle of least privilege, and retaining and securing logs. These actions not only mitigate the risk of ransomware but other cybersecurity threats as well.
The second part of the guide focuses on responding to ransomware in three stages.
- Detection and Analysis. Immediate isolation and triage of impacted systems are the priorities. Because threat actors may monitor the organization’s activity or communications following intrusion, the guide recommends using means to avoid the threat actor knowing it has been detected—such as communicating by phone and not email. The guide recommends not paying the ransom, because such payments will not ensure that data is decrypted or that the system is no longer compromised.
- Containment and Eradication. Depending on the ransomware variant, consulting with federal law enforcement or other trusted entities may be worthwhile, as security researchers may have already broken the encryption algorithms or have published information on ransomware binaries and associated registry values. Otherwise, a methodical approach to identifying, containing, and removing any compromise to the system will be critical.
- Recovery and Post-Incident Activity. Documenting the lessons learned from the ransomware will help inform future policies and procedures. Sharing this information can also benefit others in the community.
For organizations seeking further information on ransomware, the guide offers a list of resources from CISA and MS-ISAC. These include regional CISA Cybersecurity Advisors, who advise on best practices to manage cyber risk.
Lawyers who support organizations that face ransomware threats should be familiar with these best practices for ransomware prevention and response, and initiate discussions about how their organizations can best prepare for and meet the threats posed by ransomware. This is increasingly critical at a time when governmental regulators are warning private companies that payments to ransomware actors can implicate legal risks, such as sanctions risk and regulatory obligations under the Bank Secrecy Act.