Take These Steps to Plan for Ransomware Attacks

Federal agencies, the latest target of these breaches, can follow tips provided by CISA, NIST and others.


Your browser doesn’t support HTML5 audio

Stories about schools, hospitals and local government agencies being shut down by ransomware appear in the news seemingly every day. Until recently, the federal government hadn’t been a regular target.

But don’t think that a ransomware attack won’t happen to you or your agency, because it can and it will — if it hasn’t already. In February, the U.S. Marshals Service was hit with a ransomware infection that shut down critical systems, some of which were still offline months after the attack.

And in June, the CL0P ransomware group struck several civilian federal agencies in what Cybersecurity and Infrastructure Security Agency Director Jen Easterly called an “opportunistic attack” that was not being used to extort agencies.

You must be prepared before an attack happens in order to minimize its damage and impact, or your agency might not be able to fully meet its mission for days, weeks or months to come.

Federal agencies including CISA, the National Institute of Standards and Technology and the FBI suggest practices for federal agencies to follow to protect themselves from ransomware attacks.

These resources and guidance documents have been widely used by many organizations outside the federal space and refined based on public feedback. Take advantage of these lessons learned to protect your agency’s systems and data.

Click the banner below to learn how federal agencies are implementing zero trust architecture.

How to Best Implement a Plan for Recovery

When any organization experiences a ransomware infection, it will likely start spreading rapidly throughout the organization. A great first step to protect your agency against ransomware attacks is to conduct an assessment of its readiness.

Ransomware readiness involves many cybersecurity practices that should already be in place, such as keeping software patched and up to date, and using anti-virus and anti-malware tools. Such tools are doubly important because they help in preventing, detecting, responding to and recovering from ransomware.

An agency’s people, processes and technology will need to work together smoothly and quickly when an attack is discovered. Every second matters; every additional device infected with ransomware can increase the amount of damage done and complicate and lengthen recovery efforts.

If you haven’t taken inventory of your IT environment, done the necessary response and recovery planning, fully implemented your plans and ensured your plans will be properly maintained and updated over time, you’re greatly increasing the chances that ransomware’s impact could be significantly worse than it should have been.

DIVE DEEPER: Why zero-trust architectures should include data protection and cyber recovery.

Using the Right Tools to Protect Agency Assets

Ransomware often searches for known vulnerabilities in software, such as missing patches or configuration errors, and takes advantage of them to get a foothold within an agency.

Thwarting ransomware always involves typical cyber hygiene practices, such as keeping devices patched and securely configured, running anti-virus and anti-malware utilities on susceptible devices, using network security technology to prevent unauthorized access to devices, and employing the principle of least privilege to limit what a successful attacker can do.

All of these tactics and more are covered in NIST Special Publication 1800-25, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events. Also, CISA’s Ransomware Vulnerability Warning Pilot helps agencies prioritize which vulnerabilities to address as soon as possible to avoid ransomware infections.

Source: Palo Alto Unit 42, Ransomware and Extortion Report 2023, March 2023

In addition, use cyberthreat intelligence feeds to automatically update your cybersecurity technologies on the latest threats, including ransomware. This can help prevent ransomware from entering agency systems in the first place. When infections do occur, they can block infected devices from communicating with known attacker IP addresses, domains and command-and-control networks.

Back up all needed data and maintain copies of backups offline so that ransomware infections won’t destroy them. Frequently perform restoration tests to ensure the backups are valid and that the restoration procedures and technologies are working properly.

Use multifactor authentication for people and strong authentication for nonperson entities, such as cryptographic-based mutual authentication for service-to-service communications. This helps prevent ransomware attackers from laterally moving throughout an organization with ease.

Finally, an important but sometimes overlooked part of protection is preparing your personnel. Users should be trained on cybersecurity awareness in general and know how to spot ransomware and what to do if an infection occurs.

CISA also releases alerts and advisories specific to major new ransomware threats as they happen, and agencies should be aware when new information is available.