by Cybersecurity & Infrastructure Security AgencyRansomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations. Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion. The monetary value of ransom demands has also increased, with some demands exceeding US $1 million. Ransomware incidents have become more destructive and impactful in nature and scope. Malicious actors engage in lateral movement to target critical data and propagate ransomware across entire networks. These actors also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations. The economic and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, have also proven challenging for organizations large and small.
This Ransomware Guide includes two resources:
Ransomware Prevention Best Practices
Ransomware Response Checklist
CISA recommends that organizations take the following initial steps:
Join an information sharing organization, such as one of the following:
- Multi-State Information Sharing and Analysis Center (MS-ISAC):
- Election Infrastructure Information Sharing and Analysis Center (EI-ISAC):
- Sector-based ISACs – National Council of ISACs:
- Information Sharing and Analysis Organization (ISAO) Standards Organization:
Engage CISA to build a lasting partnership and collaborate on information sharing, best practices, assessments, exercises, and more.
- SLTT organizations: CyberLiaison_SLTT@cisa.dhs.gov
- Private sector organizations: CyberLiaison_Industry@cisa.dhs.gov
Engaging with your ISAC, ISAO, and with CISA will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.
These ransomware best practices and recommendations are based on operational insight from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The audience for this guide includes information technology (IT) professionals as well as others within an organization involved in developing cyber incident response policies and procedures or coordinating cyber incident response.