In response to the escalating menace of cyber threats, a robust initiative has been taken by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). They’ve joined forces to introduce an enhanced iteration of their practical guide, the #StopRansomware Guide, aiming to empower organizations in managing the pervasive risks associated with ransomware attacks.
This guide, first released by CISA and MS-ISAC back in 2020, underwent a revamp at the hands of the Joint Ransomware Task Force (JRTF) — a task force assembled by Congress with the specific aim to mitigate ransomware threats. The guide presents critical information on detecting, preventing, responding to, and recovering from ransomware attacks, rendering it a comprehensive resource in the face of the increasing cyber threat landscape.
The recent version of the guide encapsulates the rapid evolution of the strategies employed by ransomware criminals since the guide’s initial release. To amplify the guide’s efficiency, expertise from the FBI and NSA were harnessed, leading to their contributions as co-authors, and the guide itself was given a more definitive identity with the hashtag #StopRansomware. Key updates include new insights on ‘zero trust’ and cloud backups, preventive measures against initial infection vectors, and a more elaborate checklist for ransomware response, complete with threat hunting tips. All of these valuable recommendations align seamlessly with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
The guide’s contents are neatly segmented into two sections – one that lists the best practices to prevent ransomware attacks, and another that presents a comprehensive checklist for responding to ransomware and data extortion attacks. Its central objective is to guide organizations in formulating sturdy strategies to prevent, mitigate, and recover from such cyber threats. One key emphasis of the guide is its strong stance against ransom payments, highlighting that such actions neither guarantee data decryption nor provide immunity from future data breaches.
The motivation for the guide’s revision stems from the increasing threat posed by the BianLian Ransomware Group. This has been detailed in a joint Cybersecurity Advisory issued by the FBI, CISA, and the Australian Cyber Security Centre (ACSC). The BianLian group has been making its presence felt since June 2022, targeting multiple critical infrastructure sectors in the U.S. and Australia, leveraging valid Remote Desktop Protocol (RDP) credentials for system access, and employing diverse tools and tactics for discovery, credential harvesting, and data exfiltration.
To counteract the BianLian threat, the Advisory proposes numerous mitigation strategies, including stricter control over RDP and remote desktop services, disabling command-line and scripting activities, and updating to the latest version of Windows PowerShell or PowerShell Core. Beyond this, the Advisory strongly encourages organizations to adopt a series of measures that can strengthen their cybersecurity posture, all of which are in alignment with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and the National Institute of Standards and Technology (NIST) standards. These protective measures range from limiting the use of remote access tools, adopting stringent password policies, maintaining software and hardware systems at their latest versions, to implementing effective network segmentation.
Organizations are also urged to adhere to the 3-2-1 backup strategy, which suggests maintaining three copies of data (an original and two backups) on two distinct mediums, with one copy securely stored off-site. The Advisory further advocates for the application of multifactor authentication, particularly for webmail, VPNs, and accounts that access critical systems.
The updated #StopRansomware Guide, coupled with the BianLian Advisory, serve as indispensable resources for organizations striving to fortify their cybersecurity measures and safeguard their digital assets. By adhering to the wealth of recommendations and strategic guidance provided in these documents, organizations can construct a robust defense against ransomware and data extortion attempts. This proactive approach ensures the continued security and integrity of their digital health information, essential for maintaining trust in our increasingly digital-centric world.