US security agencies update ransomware, data extortion prevention best practices and response checklist

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and MS-ISAC released Tuesday a comprehensive guide that includes resources on ransomware and data extortion prevention best practices and a response checklist. It also provides tips on threat hunting, preventing common initial infection vectors, and how to address cloud backups and zero trust architecture. The document comes as an update to the 2020 Ransomware Guide, released by CISA and the MS-ISAC.

Developed through the U.S. Joint Ransomware Task Force (JRTF), the ‘#StopRansomware Guide’ Cybersecurity Information Sheet includes two primary resources – ‘Ransomware and Data Extortion Prevention Best Practices’ and ‘Ransomware and Data Extortion Response Checklist.’ The report is part of the #StopRansomware effort initiated by CISA. 

Relatedly, in February this year, NSA and several partners teamed up with the South Korean government to highlight malicious cyber actors’ use of ransomware to target critical infrastructure.

Since the initial release of the Ransomware Guide in September 2020, ransomware actors have accelerated their tactics and techniques. Some of the alterations made to the guide are to maintain relevance, add perspective, and maximize the efficacy of this guide, including adding the FBI and NSA as co-authors based on their contributions and operational insight. It also incorporates the ‘#StopRansomware’ effort into the title. 

The new guidance also includes added recommendations for preventing common initial infection vectors, including compromised credentials and advanced forms of social engineering. It also provides updated recommendations to address cloud backups and zero trust architecture (ZTA), expands the ransomware response checklist with threat-hunting tips for detection and analysis; and includes mapped recommendations to CISA’s cross-sector cybersecurity performance goals (CPGs). 

Aligned with the CPGs developed by CISA and the National Institute of Standards and Technology (NIST), the Ransomware and Data Extortion Prevention Best Practices focuses on preparing for ransomware and data extortion incidents by maintaining offline, encrypted backups of critical data and regularly testing the availability and integrity of backups in a disaster recovery scenario. It also suggests creating, maintaining, and exercising a basic cyber incident response plan (IRP) and associated communications plan including response and notification procedures for ransomware and data extortion/breach incidents and implementing a zero-trust architecture to prevent unauthorized access to data and services.

The best practices guide organizations to reduce the impact and likelihood of ransomware incidents and data extortion, including best practices to prepare for, prevent, and mitigate these incidents. Prevention best practices are grouped by common initial access vectors, such as Internet-facing vulnerabilities and misconfigurations, compromised credentials, and phishing. The checklist guidance covers the best practices for responding to these incidents. These ransomware and data extortion prevention and response best practices and recommendations are based on operational insight from CISA, MS-ISAC, the NSA, and the FBI. 

“We must collectively evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and where ransomware incidents are detected and remediated before harm occurs,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a media statement. “With our FBI, NSA and MS-ISAC partners, we strongly encourage all organizations to review this guide and implement recommendations to prevent potential ransomware incidents. In order to address the ransomware epidemic, we must reduce the prevalence of ransomware intrusions and reduce their impacts, which include applying lessons learned from ransomware incidents that have affected far too many organizations.”

Bryan Vorndran, assistant director of the FBI’s Cyber Division, said in the CISA statement that “we, along with our partners, strive to identify the common tactics techniques and procedures that ransomware actors deploy and are dedicated to using that information to help combat the ransomware epidemic. While the FBI continues to prevent and disrupt cyber attacks we cannot win the fight against ransomware attacks alone: we urge all organizations to implement these recommendations to ensure stronger resiliency for their networks.”

“Sharing cybersecurity best practices, in particular those that can help reduce the incidence of ransomware, is important to government organizations at all levels,” John Gilligan, chief executive officer at the Center for Internet Security, said. “The Multi-State Information Sharing and Analysis Center (MS-ISAC) is pleased to have been able to participate in the development of this important publication.” 

“Ransomware tactics have become more destructive and impactful,” Rob Joyce, NSA director of cybersecurity, said in an NSA statement. “Malicious cyber actors are not only encrypting files and asking for ransom, they are also exfiltrating data and threatening victims to release it as a form of extortion. Most importantly, the speed of compromise and impact have increased dramatically, requiring even more effort on the part of defenders.”

When the initial access vector involves Internet-facing vulnerabilities and misconfigurations, the guidance calls upon organizations to conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on Internet-facing devices, to limit the attack surface. It also suggests regularly patching and updating software and operating systems to the latest available versions; ensuring all on-premises, cloud services, mobile, and personal devices are configured and security features are enabled; limiting the use of RDP and other remote desktop services; and disabling Server Message Block (SMB) protocol versions 1 and 2 and upgrade to version 3. 

In case the initial access vector is through compromised credentials, the guidance recommends implementing phishing-resistant MFA across services, considering subscribing to credential monitoring services, implementing identity and access management (IAM) systems, adopting zero trust access control; and changing default admin usernames and passwords. It also suggests enforcing account lockout policies after a certain number of failed login attempts, storing passwords in a secured database, and using strong hashing algorithms.  

When the initial access vector uses phishing techniques, organizations must implement a cybersecurity user awareness and training program, flag external emails in email clients, implement filters at the email gateway to filter out emails with known malicious indicators; and enable common attachment filters to restrict file types that commonly contain malware. It also suggests implementing Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification; ensuring macro scripts are disabled for Microsoft Office files transmitted via email; and disabling Windows Script Host (WSH).

When the initial access vector adopts precursor malware infection, the guidance calls upon organizations to use automatic updates for antivirus and anti-malware software and signatures; use application allowlisting and/or endpoint detection and response (EDR) solutions; consider implementing an intrusion detection system (IDS); and monitor indicators of activity and block malware file creation with the Windows Sysmon utility. 

In case the initial access vector involves advanced forms of social engineering, the guidance suggests creating policies to include cybersecurity awareness training; implementing protective Domain Name System (DNS); and consider implementing sandboxed browsers to protect systems from malware originating from web browsing. 

When the initial access vector involves third parties and Managed Service Providers (MSPs), the document recommends considering the risk management and cyber hygiene practices of third parties or MSPs. It also suggests ensuring the use of least privilege and separation of duties when setting up the access of third parties; and considers creating service control policies (SCP) for cloud-based resources to prevent users or roles, organization-wide, from being able to access specific services or take specific actions within services.

The authoring organizations recommend that organizations respond to ransomware attacks using the checklist. These practices include determining which systems were impacted, and immediately isolating them; powering down devices if unable to disconnect them from the network to avoid further spread of the ransomware infection; triaging impacted systems for restoration and recovery; examining existing organizational detection or prevention systems and logs; confer with the organizational team to develop and document an initial understanding of what has occurred based on initial analysis; and initiate threat hunting activities.

When it comes to reporting and notification, the guidance outlines that notification requirements as outlined in the cyber incident response and communications plan engage internal and external teams and stakeholders with an understanding of what they can provide to help mitigate, respond to, and recover from the incident. 

In the event of no initial mitigation actions appear possible, organizations must take a system image and memory capture of a sample of affected devices, and consult federal law enforcement, even if mitigation actions are possible, regarding possible decryptors available, as security researchers may have discovered encryption flaws for some ransomware variants and released decryption or other types of tools. 

To continue taking steps to contain and mitigate the incident, organizations could research trusted guidance, identify the systems and accounts involved in the initial breach, contain associated systems that may be used for further or continued unauthorized access, follow server-side data encryption quick identification steps, and conduct extended analysis to identify outside-in and inside-out persistence mechanisms. They also could rebuild systems based on prioritization of critical services, issue password resets for all affected systems, and address any associated vulnerabilities and gaps in security or visibility. 

As part of recovery and post-incident activity, the guidance suggests that organizations can reconnect systems and restore data from offline, encrypted backups based on a prioritization of critical services, document lessons learned from the incident and associated response activities, consider sharing lessons learned, and relevant indicators of compromise with CISA or sector ISAC to benefit others within the community. 

Earlier this month, the Healthcare and Public Health Sector Coordinating Council (HSCC) released a checklist that provides the healthcare sector with a flexible template for operational staff and executive management to refer to when responding to extended outages brought on by cyberattacks. The document represents the best collective thinking of private-sector cybersecurity and emergency management executives of the HSCC Incident Response/Business Continuity (IRBC) Task Group of the Health Sector Coordinating Council’s Cybersecurity Working Group (CWG).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.