Ransomware attacks continue to create serious damages and huge economic losses to private businesses, critical infrastructure, and government organizations. Over the past several years, law enforcement agencies and security firms have responded to a large number of ransomware attacks, including recent attacks against Colonial Pipeline and software company Kaseya.
According to Cybersecurity Ventures, ransomware attacks will cost their victims more than $265 billion annually by 2031. Experts believe that there will be a new security breach caused by a ransomware attack every 2 seconds because threat actors progressively refine their ransomware and extortion models.
This forecast is based on the observation of a significant acceleration of this criminal practice in recent years.
Recently, the US Cybersecurity and Infrastructure Security Agency (CISA) released guidance on how to prevent data breaches resulting from ransomware attacks. The guidance aims at helping government and private sector organizations in preventing ransomware attacks and associated data breaches.
“All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems. This fact sheet provides information for all government and private sector organizations, including critical infrastructure organizations, on preventing and responding to ransomware-caused data breaches,” reads CISA’s guideline.
“CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations”
The agency published a fact sheet that includes the following recommendations to prevent cyber attacks:
- Maintain offline, encrypted backups of data and regularly test your backups. Government experts recommend executing backups on a regular basis, the backup must be periodically tested to verify their integrity. It is essential to maintain the backups offline to avoid threats, such as ransomware strains, encrypting them.
- Create, maintain, and exercise a basic cyber incident response plan, resiliency plan, and associated communications plan. The US agency reinforces the importance of defining a cyber incident response plan that should include response and notification procedures for ransomware incidents. Government experts also recommend creating a resilience plan to prepare operations in case the victims lose access to or control of critical functions.
- Mitigate internet-facing vulnerabilities and misconfigurations to reduce the attack surface. Organizations should audit Remote Desktop Protocol (RDP) and other remote desktop services and promote best practices for them. It is important to close unused RDP ports, enforce account lockouts after a specified number of attempts, apply multi-factor authentication (MFA), and log RDP login attempts. Organizations should periodically conduct vulnerability scanning to identify and address vulnerabilities on internet-facing devices. CISA recommends updating software and implementing an efficient patch management process for internet-facing systems. Organizations should also carefully configure systems and disable ports and protocols that are not used for business purposes. Experts also suggest disabling or block inbound and outbound Server Message Block (SMB) Protocol and remove or disable outdated versions of SMB.
- Reduce the risk of phishing emails from reaching end users by enabling strong spam filters and implementing user awareness and training programs. It is essential to train personnel on how to identify and report suspected phishing attempts.
- Practice good cyber hygiene by using up-to-date anti-malware solutions and applications, implementing application whitelisting, ensuring user and privileged accounts are limited, enable multi-factor authentication (MFA), and implement cybersecurity best practices. CISA also recommends enabling MFA for all services that support this security feature. MFA is very important to protect webmail, virtual private networks (VPNs), and accounts that allow to access critical systems.
The fact sheet also recommends organizations protect sensitive data belonging to customers or employees.
CISA recommends that organizations:
- Know what personal and sensitive information is stored on the systems of the organization and who has access to it.
- Implement physical security best practices from the Federal Trade Commission guide on protecting personal information.
- Implement cybersecurity best practices by identifying the computers or servers where sensitive personal information is stored, encrypting sensitive information at rest and in transit, and implementing firewalls to protect networks and systems from malicious or unnecessary network traffic. The US agency also states that organizations should consider applying network segmentation.
- Ensure your cyber incident response and communications plans include response and notification procedures for data breach incidents.
Regarding the implementation of a cyber incident response plan, CISA recommends taking the following actions:
- Secure network operations and stop additional data loss by determining which systems were impacted and immediately isolate them. If it is not possible to take the impacted systems offline, disconnect the systems from the network by unplugging the network cable or removing them from Wi-Fi. If affected devices cannot be removed from the network or the network cannot be temporarily shut down, power them down to avoid an incident.
- Then triage impacted systems for restoration and recovery, prioritizing based on criticality.
- Document the activity conducted and perform a preliminary analysis. Never pay a ransom to threat actors. The guideline suggests engaging internal and external teams and stakeholders to inform them of how they can help the impacted organization mitigate, respond to, and recover from the security breach. Organizations must collect any relevant logs and artifacts on the impacted system and analyze them in order to extract indicators of compromise and use them to determine the extent of the infection.
- Of course, the US Agency invites victims of ransomware to report the incident to CISA, the local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office.
In July, the CISA has released the Ransomware Readiness Assessment (RRA), a new ransomware self-assessment security audit tool for the agency’s Cyber Security Evaluation Tool (CSET). RRA could be used by organizations to determine their level of exposure to ransomware attacks against their information technology (IT), operational technology (OT), or industrial control system (ICS) assets.