On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Multi-State Information Sharing and Analysis Center (“MS-ISAC”) released a joint guide synthesizing best practices to prevent and respond to ransomware.  This guide was published the day before OFAC and FinCEN released their coordinated guidance on ransomware attacks that we previously summarized here.

Ransomware is malware that encrypts data on a victim’s device, thus rendering the data inaccessible, until a ransom is paid in exchange for decryption.  Both the nature and scope of ransomware incidents have become “more destructive and impactful” in recent years.  In particular, tactics of malicious actors include threatening to release stolen data or publicly naming victims as part of the extortion.  Accordingly, the guide encourages organizations to take proactive efforts to manage risks posed by ransomware and recommends a coordinated response to mitigate its impact.

The guide is divided into two parts.  First, the guide focuses on best practices for ransomware prevention, focusing on the common infection vectors—misconfigurations, internet-facing vulnerabilities, phishing, precursor malware infection, third party sources, and managed service providers.  For example, threat actors often gain access to an organization’s network through exposed or insecure remote desktop services.  Employing best practices for use of remote desktop protocol (“RDP”), closing unused RDP ports on firewalls, and tracking RDP login attempts are few of the recommended risk-mitigating exercises.  This part also outlines general best practices for cyber hygiene, including employing multi-factor authentication, implementing the principle of least privilege, and retaining and securing logs.  These actions not only mitigate the risk of ransomware but other cybersecurity threats as well.

The second part of the guide focuses on responding to ransomware in three stages.

  • Detection and Analysis. Immediate isolation and triage of impacted systems are the priorities.  Because threat actors may monitor the organization’s activity or communications following intrusion, the guide recommends using means to avoid the threat actor knowing it has been detected—such as communicating by phone and not email.  The guide recommends not paying the ransom, because such payments will not ensure that data is decrypted or that the system is no longer compromised.
  • Containment and Eradication. Depending on the ransomware variant, consulting with federal law enforcement or other trusted entities may be worthwhile, as security researchers may have already broken the encryption algorithms or have published information on ransomware binaries and associated registry values.  Otherwise, a methodical approach to identifying, containing, and removing any compromise to the system will be critical.
  • Recovery and Post-Incident Activity. Documenting the lessons learned from the ransomware will help inform future policies and procedures. Sharing this information can also benefit others in the community.

For organizations seeking further information on ransomware, the guide offers a list of resources from CISA and MS-ISAC.  These include regional CISA Cybersecurity Advisors, who advise on best practices to manage cyber risk.

Lawyers who support organizations that face ransomware threats should be familiar with these best practices for ransomware prevention and response, and initiate discussions about how their organizations can best prepare for and meet the threats posed by ransomware.  This is increasingly critical at a time when governmental regulators are warning private companies that payments to ransomware actors can implicate legal risks, such as sanctions risk and regulatory obligations under the Bank Secrecy Act.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.