The Cybersecurity and Infrastructure Security Agency has posted a fact sheet to help public- and private-sector organizations prevent and respond to threats from ransomware attackers to release sensitive information if a victim does not pay the ransom demanded.
The Cybersecurity and Infrastructure Security Agency has posted a fact sheet to help public- and private-sector organizations prevent and respond to ransomware attackers threatening to release sensitive information if a victim does not pay the ransom demanded.
As ransomware attacks have become more sophisticated, many attackers are no longer simply demanding payment in exchange for decrypting files. Lately, more have been exfiltrating sensitive and personal data from their victims and then threatening to sell or leak it if the ransom is not paid. This tactic not only renders the victims’ systems unusable until they can be decrypted, but means protected backups and effective restoration plans can’t address the full range of risk. The added extortion can also lead to financial loss and erosion of customer trust, CISA said, making the prevention of such attacks critical.
Primarily, organizations must guard against falling victim to ransomware attacks. They should maintain offline, encrypted backups of data and develop and exercise plans for responding to a ransomware attack, including how they will conduct business if critical systems have been disabled. Internet-facing vulnerabilities must be addressed, software updated, devices properly configured and remote-desktop services should be regularly audited, CISA advised. Spam filters and cybersecurity-awareness training will help reduce the risk of successful phishing attacks, and carefully managing privileged accounts and employing multifactor authentication will increase cyber hygiene.
Organizations that house sensitive or personal information should have an inventory of that data and ensure access to it is limited, encrypt the data, implement physical security and consider segmenting networks to increase the data’s security. Additionally, they should have incident response and communications plans that include procedures for data breach response and notification.
If a ransomware-caused data breach occurs, organizations should turn to their response plans by first securing their networks and stopping additional data loss.
If mitigation seems impossible, victims should “take a system image and memory capture of a sample of affected devices,” CISA advised. Logs and samples of any “precursor” malware binaries and associated observables or indicators of compromise should also be collected. Forensic evidence should not be destroyed, so victims should be sure to “preserve evidence that is highly volatile in nature -- or limited in retention -- to prevent loss or tampering.”
Finally, affected organizations must notify businesses and individuals that their data has been exposed and may be misused.
The fact sheet includes links to specific resources throughout and concludes with pointers to general information on ransomware threats and response.