DHS Issues Best Practices to Safeguard Against Ransomware Attacks
Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse.
States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors.
In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks.
The statement was issued primarily to state, local, territorial and tribal governments, although the recommendations are equally relevant to the healthcare industry and businesses in other industry sectors.
Taking the three steps detailed in the statement (and outlined below) will improve defenses against ransomware and will help to ensure that in the event of an attack, recovery can be made in the shortest possible time frame.
- Backup systems now (and daily)
- Reinforce cybersecurity awareness training
- Revise and refine cyber incident response plans
Without valid data backups, ransomware victims will be at the mercy of their attackers. As has already been seen on several occasions this year, payment of the ransom does not guarantee file recovery. Even when keys are supplied to unlock encrypted data, some data loss can be expected.
It is therefore essential to ensure that all critical data, agency and system information is backed up daily, with the backups stored on a separate, non-networked, offline device. Backups and the restoration process must be tested to ensure file recovery is possible. The joint statement instructs all partners to backup systems immediately and daily.
Ransomware is most commonly installed inadvertently by employees as a result of responding to a phishing email or visiting a malicious website. It is therefore important to ensure that the workforce is made aware of the threat and is taught how to recognize suspicious emails, links, and other threats.
Even if training has already been given to staff, refresher training sessions are recommended. The staff should also be made aware of the actions to take if a potential threat is received or if an attack is believed to be in progress, including being advised of out-of-band communication paths.
It may not be possible to prevent all attacks, so it is essential for a ransomware response plan to be developed that can be immediately implemented in the event of an attack. The response plan should include plans that can be implemented if internal capabilities become overwhelmed and instructions and contact information for external cyber first responders, state agencies, and other parties that may be required to assist in the wake of an attack.
The guidance document can be viewed/downloaded on this link (PDF).