Take These Steps to Plan for Ransomware Attacks

How to Best Implement a Plan for Recovery

When any organization experiences a ransomware infection, it will likely start spreading rapidly throughout the organization. A great first step to protect your agency against ransomware attacks is to conduct an assessment of its readiness.

Ransomware readiness involves many cybersecurity practices that should already be in place, such as keeping software patched and up to date, and using anti-virus and anti-malware tools. Such tools are doubly important because they help in preventing, detecting, responding to and recovering from ransomware.

An agency’s people, processes and technology will need to work together smoothly and quickly when an attack is discovered. Every second matters; every additional device infected with ransomware can increase the amount of damage done and complicate and lengthen recovery efforts.

If you haven’t taken inventory of your IT environment, done the necessary response and recovery planning, fully implemented your plans and ensured your plans will be properly maintained and updated over time, you’re greatly increasing the chances that ransomware’s impact could be significantly worse than it should have been.

DIVE DEEPER: Why zero-trust architectures should include data protection and cyber recovery.

Using the Right Tools to Protect Agency Assets

Ransomware often searches for known vulnerabilities in software, such as missing patches or configuration errors, and takes advantage of them to get a foothold within an agency.

Thwarting ransomware always involves typical cyber hygiene practices, such as keeping devices patched and securely configured, running anti-virus and anti-malware utilities on susceptible devices, using network security technology to prevent unauthorized access to devices, and employing the principle of least privilege to limit what a successful attacker can do.

All of these tactics and more are covered in NIST Special Publication 1800-25, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events. Also, CISA’s Ransomware Vulnerability Warning Pilot helps agencies prioritize which vulnerabilities to address as soon as possible to avoid ransomware infections.

In addition, use cyberthreat intelligence feeds to automatically update your cybersecurity technologies on the latest threats, including ransomware. This can help prevent ransomware from entering agency systems in the first place. When infections do occur, they can block infected devices from communicating with known attacker IP addresses, domains and command-and-control networks.

Back up all needed data and maintain copies of backups offline so that ransomware infections won’t destroy them. Frequently perform restoration tests to ensure the backups are valid and that the restoration procedures and technologies are working properly.

Use multifactor authentication for people and strong authentication for nonperson entities, such as cryptographic-based mutual authentication for service-to-service communications. This helps prevent ransomware attackers from laterally moving throughout an organization with ease.

Finally, an important but sometimes overlooked part of protection is preparing your personnel. Users should be trained on cybersecurity awareness in general and know how to spot ransomware and what to do if an infection occurs.

CISA also releases alerts and advisories specific to major new ransomware threats as they happen, and agencies should be aware when new information is available.