CISA Issues Guidance on Protecting Sensitive Data and Dealing With Double-Extortion Ransomware Attacks

Ransomware attacks are significantly higher in 2020 and there is no sign that cyberattacks utilizing the file-encrypting malware will diminish. Attacks continue to increase this year to the level where there was nearly half the number of attempted ransomware attacks in Quarter 2 of 2021 as there were in the entire 2019.

The majority of threat actors executing ransomware attacks are now making use of double extortion techniques, where ransoms should be paid not only to get the keys to decrypt files but also to avoid the publication of information stolen in the attacks. The theft of records prior to file encryption has helped ransomware gangs to demand big ransom payments because the threat to leak the data has considerably increased the possibility of getting ransom payments. A lot of victims pay the ransom to stop data exposure, although they have good backups that can enable them to recover the encrypted information for free.

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance to help public and private sector institutions deal with the danger of double-extortion ransomware attacks. The guidance includes best practices for avoiding cyber threat actors from getting access to networks, actions to make sure sensitive data are secured, and procedures that ought to be adopted when responding to a ransomware attack.

There are a number of measures specified in the document that is essential not just for stopping ransomware attacks but likewise for restricting their severity. It is important to retain offline, encrypted backups of information and to routinely test the backups to ensure that file recovery is really achievable. It is furthermore essential to create and maintain a basic cyber incident response plan, resiliency plan, and related communications plan, and to conduct exercises to make sure that a quick response to an attack is achievable. To prevent attacks, steps should be taken to deal with the major attack vectors, such as phishing, RDP compromises, and the exploitation of internet-facing vulnerabilities and misconfigurations. Naturally, all companies must also make certain to follow good cyber hygiene procedures.

To protect sensitive information, institutions should know where sensitive records are kept and who has got access to those data databases. It is additionally crucial to make sure that sensitive information is just stored for as long as is strictly needed. Physical and cybersecurity recommendations ought to be enforced, including encrypting sensitive data at rest and in transit, limiting access to physical IT assets, and employing firewall and network segmentation to impede attempts at lateral movement within systems. CISA likewise advises making sure the cyber incident response and communications plans consist of response and notification processes for data breach occurrences.

Fast and effective response to a ransomware attack is crucial for restricting the harm triggered and holding costs down. The cyber incident response plan must detail all the steps that must be taken, and the order that they ought to be undertaken. The preliminary step is learning which systems were impacted and quickly isolating them to protect network operations and prevent further data loss. The next step should only be done if its’ not possible to take out affected devices from the network or to temporarily shut down the network, and that is to power down impacted devices to stop further passing on the ransomware infection.

After that, triage impacted systems for restoration and recovery, consult with the security group to develop and document an initial comprehension of what has happened, then engage internal and external groups and stakeholders and give instructions on how they can help with the response and recovery processes. Institutions must then comply with the notification specifications discussed in their cyber incident response plan.

The guidance document – Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches – is available on this link.