With that in mind, a second version of the #StopRansomware Guide was published last month. The guide is prepared by the Cybersecurity & Infrastructure Security Agency, the National Security Agency, and Federal Bureau of Investigation in a collective effort through the U.S. Joint Ransomware Task Force. Originally issued in September 2020, the latest version of the guide focuses on three main areas: (1) additional recommendations for preventing common points of attack; (2) new guidance on cloud backups and zero trust architecture; and (3) an expanded ransomware response checklist. 

The first part of the new version of the guide discusses heightened concerns regarding compromised user credentials. When it comes to defending a network, the "human firewall" is still one of the most important methods to protect against a network intrusion and the deployment of ransomware. Businesses and entities should be mindful about how users access the network and their activity once they are in the system.

The common refrain in the security world is to use multifactor authentication. Although many security measures can be viewed as a tradeoff between ease of use and protection, MFA, once enabled and enforced on all systems, is the simplest way to protect a network while still making it easy for users to access the system. However, MFA can still be bypassed if users accidentally provide their credentials to the threat actors and then give them the MFA codes. This highlights the importance of educating employees and users about attempts to steal their login information. 

Cloud backups are also addressed in the updated guide, including recommendations to be wary about over-reliance on cloud backups and how to implement zero-trust architecture. The example of a photographer’s 3-2-1 Backup Strategy is a case in point. This strategy says there should be three copies of your data. Two of those copies should be kept on site but saved on different devices, and one copy should be kept off site. When it comes to the off-site backup, many organizations use a cloud backup system. Cloud backups are an easy-to-use part of the backup strategy but can be misconfigured in ways that makes them meaningless in the event of a ransomware attack. Often, cloud backups are configured to make automatic changes whenever the data on the local device is changed. However, in the event of a ransomware attack the automatic syncing could back up the encrypted files and make the original files unrecoverable without a decryption key. For cloud backups, the recommended practice is to maintain file version history, so the cloud backup solution has historical copies of data.

Additionally, using zero-trust architecture helps to prevent unauthorized intrusions in a network. ZTA envisions a system where compromise to the network is assumed. Therefore, users (especially a compromised one) should have access only to the areas necessary for performance of their work. ZTA is also known as “least privilege access,” or “the principle of least privilege.” Administrative accounts with high-level access for typical day-to-day work are not recommended, and an administrative account password should not be used for other user accounts.

Finally, the guide expands on the itemized checklist for ransomware attacks. The checklist covers the various phases including Detection and Analysis, Reporting and Notification, Containment and Eradication, and Recovery and Post-Incident Activity. For organizations of every size, having a plan in place before an incident can save precious hours or days when it comes to recovery. This checklist is meant to provide a high-level overview intended to help organizations to develop more detailed and tailored game plans based on their unique circumstances. Responding to incidents during emergencies can make it difficult to see the forest for the trees, but this guide envisions the bigger picture issues and how they tend to mesh during an incident.

Ransomware can have devastating effects not only on the immediate organization experiencing the attack but also its consumers and vendors. This 29-page report provides straightforward information from federal agencies that can assist in prevention and response.

Although the threat of ransomware has grown over the years, there have been corresponding improvements in preventive and responsive measures. Organizations working together can limit its impact.

The Constangy Cyber Team supports clients with ransomware matters on a regular basis. Should your organization need to develop a comprehensive incident response plan or support with a breach, we are here to help!  The Constangy Cyber Team is available 24/7 – contact us at breachresponse@constangy.com or #877-DTA-BRCH.