As the ransomware threat continues to grow and more businesses, utilities and government agencies fall victim to these cyber criminals, the federal government has created a new hub to assist in recovery.
The new website, www.StopRansomware.gov, is designed to make it easier for ransomware victims to access resources and recovery assistance, as well as serve as a resource for companies looking to harden their data infrastructure against ransomware attacks.
The State Department also announced that it was starting a ransomware taskforce that would offer rewards up to $10 million for information leading to the identification of anyone engaged in foreign state-sanctioned malicious cyber activity against critical U.S. infrastructure.
This new resource consolidates information from federal agencies on ransomware, provides news updates on ransomware incidents, and provides a way for reporting such attacks to the FBI.
The goal of the site is to mitigate ransomware risk by addressing the “fragmentation of resources” that often cause victims of ransomware attacks to miss important information when dealing with such attacks.
Www.StopRansomware.gov is run by the Cybersecurity and Infrastructure Security Agency and it’s separated into a number of sections, including ransomware prevention and response. It includes information that will take affected organizations through the response process:
1. Detection and analysis — Usually an organization learns that it has been hit by ransomware when its systems lock up and they receive a notice demanding that a ransom be paid to unlock everything. The website recommends taking the following steps at this stage:
- Determine which systems were impacted, and immediately isolate them.
- In the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.
- Identify and prioritize critical systems for restoration and confirm the nature of data housed on impacted systems.
- Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis.
Meet with your internal team, outside consultants and any affected customers or vendors to so see how they can provide assistance to mitigate, respond to and recover from the incident.
2. Containment and eradication — If no initial mitigation actions appear possible:
Take a system image and memory capture of a sample of affected devices (for example, workstations and servers).
- Also, collect any relevant logs as well as samples of any “precursor” malware binaries and associated indicators of compromise (such as suspicious command and control IP addresses, suspicious registry entries, or other relevant files detected).
- Preserve evidence that is volatile in nature—or limited in retention—to prevent loss or tampering (e.g., system memory, Windows Security logs, data in firewall log buffers).
- Consult federal law enforcement to inquire about any decryption tools they may have to unlock the ransomware. Cyber security researchers have already broken the encryption algorithms for some ransomware variants, so you may be in luck.
The takeaway
The site also includes a number of ransomware prevention best practices, as well as services that can help your organization prevent attacks and recover from them.
Any organization with a database should go to this site and make sure it is doing all it can to prevent ransomware and other cyber threats. And the site should be bookmarked in case a ransomware attack succeeds, as the step-by-step guide and other resources can help you contain the damage.
If you want to protect your business further, contact Shannon@vma.bz at the Visual Media Alliance, the graphic arts industry association for Northern California. We can guide you in getting the right ransomware risk policy. VMA has been working to protect our members for over 30 years and writes $30 million in insurance a year.