The cybersecurity agency warned attackers now threaten to sell or leak stolen data, not just render systems unusable.
The Cybersecurity and Infrastructure Security Agency issued guidance for any organization to protect the data on its networks from ransomware and urged a heightened awareness of the “serious and increasing” threat.
“All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems,” the CISA guidance says, noting the recent attacks on pipeline company Colonial Pipeline. The attacks disrupted gas distribution on the East Coast, and software company Kaseya, which affected managed service providers and their customers.
The agency, which has already responded to a “significant number” of incidents, said ransomware threats are evolving. Where perpetrators once encrypted files and rendered devices unusable until the ransom was paid, they now threaten to sell or leak sensitive and personal information unless the victim pays up.
To prevent attacks, CISA recommends maintaining offline, encrypted backups that are regularly tested, and developing and practicing a cyber response plan. Organizations should also mitigate internet-facing vulnerabilities and reduce phishing email by turning up spam filters and focusing on user training. The agency also endorses good cyber hygiene practices like enabling multifactor authentication for all services, keeping antivirus software up to date and limiting privileged accounts.
To protect data, CISA suggests first knowing where sensitive data is stored and figuring out who can access it. Organizations should also follow best practices for physical and cybersecurity, such as encrypting data at rest and in transit, not storing sensitive information on internet-facing systems, and creating a notification plan if a data breach occurs.
If a ransomware incident leads to a data breach, CISA points to a response checklist, which features detailed steps for securing the network and preventing additional data loss, taking a system image of the affected devices and notifying affected customers as well as CISA, the local FBI field offices, the FBI Internet Crime Complaint Center and the local Secret Service office.
CISA also maintains StopRansomware.gov, which hosts additional resources including guidance and alerts.