- Source: cisa.gov
The guide is a customer centered, one-stop resource which includes best practices and ways to prevent, protect, and/or respond to a ransomware attack. CISA and MS-ISAC shared this guide in order to inform and enhance network defense and reduce exposure to a ransomware attack.
Ransomware is a form of malware that is designed to encrypt files on a device, basically rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
The healthcare industry in the last few years has been severely hit by ransomware and most recently as September 26, 2020 computer systems for Universal Health Services, which has more than 400 locations, primarily in the United States, began to fail and some hospitals had to resort to filing patient information with pen and paper.
This guide consists of 2 parts:
- Ransomware Prevention Best Practices
- A Ransomware Response Checklist
Treliant helps firms to prepare for potential cyberattacks such as Ransomware.
Our professionals include but are not limited to former Chief Information Security Officers (CISO) and Internal Auditors. We understand how to make cybersecurity programs work and to prepare firms for regulatory exams which may include how firms prepare for ransomware attacks, especially with many individuals now working remotely.
Part 1: Ransomware Prevention Best Practices
- Be Prepared
- Maintain offline, encrypted backups of data and to regularly test your backups
- Create, maintain, and exercise a basic cyber incident response plan
- Ransomware Infection Vectors are described such as:
- Internet-Facing Vulnerabilities and Misconfigurations
- Precursor Malware Infection
- Third Parties and Managed Service Providers
- General Best Practices and Hardening Guidance are also described
Part 2: Ransomware Response Checklist
- Detection and Analysis which includes several steps including but not limited to, determining the systems impacted and isolating them from the rest of the network
- Containment and Eradication which typically requires that a system image and memory capture of a sample of affected devices (e.g., workstations and servers) is taken to allow for detailed analysis.
- Recovery and Post-Incident Activity which involves reconnecting systems and restoring data from offline, encrypted backups based on a prioritization of critical services. Take extra caution not to re-infect clean systems during the recovery process. Additionally, document lessons learned from the incident and associated response activities which may require updates to organizational policies, plans, and procedures.
- State and Local Response Contacts – Consider documenting contact information for ready use should your firm become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.
CISOs and their teams need to be ready to respond in the event their firms and/or customers become victims of a ransomware attack. If this occurs, there are regulatory requirements to report within certain timeframes. The FBI has also encouraged firms to notify them of such cyberattacks. Firms will need to demonstrate compliance and be ready for a thorough look at the underlying processes by the regulators.