CISA and Partners Release Updated #StopRansomware Guide to Strengthen Incident Response
In May 2023, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released an updated #StopRansomware Guide to standardize ransomware response protocols. The guide outlines a structured approach for organizations to detect, contain, eradicate, and recover from ransomware attacks, emphasizing coordinated action to minimize damage.
The response process begins with detection and analysis, where impacted systems must be isolated immediately either by disconnecting networks at the switch level or physically unplugging devices. For cloud environments, snapshots of volumes should be taken for forensic review. Organizations are advised to use out-of-band communication (e.g., phone calls) to avoid tipping off attackers, who may monitor internal activity to escalate attacks. If isolation isn’t feasible, powering down devices is recommended, though this risks losing volatile memory evidence.
Critical systems such as those tied to health, safety, or revenue should be prioritized for restoration, while unaffected systems are deprioritized to streamline recovery. Security teams are urged to examine logs for precursor malware (e.g., Bumblebee, QakBot, or Cobalt Strike) and signs of data exfiltration, as ransomware often follows earlier compromises. Threat hunting should focus on anomalous activity, including unauthorized Active Directory accounts, suspicious VPN logins, and misuse of built-in Windows tools (e.g., vssadmin.exe, PsExec) to inhibit recovery.
Reporting and notification are critical, with organizations directed to engage internal stakeholders (IT, leadership, cyber insurers) and external agencies like CISA, the FBI, or the U.S. Secret Service. If a data breach occurs, legal and communications teams must follow incident response plans to manage disclosures.
Containment and eradication involve capturing system images, memory dumps, and malware samples for analysis. Trusted guidance (e.g., from CISA or security vendors) should be followed to disable ransomware binaries and remove associated registry entries. Breaches often involve credential theft, requiring measures like disabling remote access and resetting passwords. Forensic analysis should identify persistence mechanisms, such as rogue accounts or backdoors, before systems are rebuilt using clean images or infrastructure-as-code templates.
Recovery prioritizes reconnecting systems from offline backups while preventing reinfection. Post-incident, organizations are encouraged to document lessons learned and share indicators of compromise with CISA or sector-specific ISACs to bolster collective defense. The guide underscores that ransomware incidents may signal deeper compromises, necessitating thorough investigation to prevent recurrence.
Source: https://www.cisa.gov/stopransomware/ive-been-hit-ransomware
Cybersecurity and Infrastructure Security Agency cybersecurity rating report: https://www.rankiteo.com/company/cisagov
Center for Internet Security cybersecurity rating report: https://www.rankiteo.com/company/the-center-for-internet-security
Federal Bureau of Investigation (FBI) cybersecurity rating report: https://www.rankiteo.com/company/fbi
"id": "CISTHEFBI1774844752",
"linkid": "cisagov, the-center-for-internet-security, fbi",
"type": "Ransomware",
"date": "7/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'data_breach': {'data_encryption': 'Possible (ransomware data encryption)',
'data_exfiltration': 'Possible (threat hunting for signs of '
'data exfiltration)'},
'date_publicly_disclosed': '2023-05',
'description': 'CISA, alongside the FBI, NSA, and MS-ISAC, released an '
'updated #StopRansomware Guide to standardize ransomware '
'response protocols, outlining structured approaches for '
'detection, containment, eradication, and recovery from '
'ransomware attacks.',
'lessons_learned': 'Ransomware incidents may signal deeper compromises; '
'thorough investigation is necessary to prevent '
'recurrence. Document lessons learned and share indicators '
'of compromise with CISA or sector-specific ISACs.',
'post_incident_analysis': {'corrective_actions': 'Document lessons learned; '
'share indicators of '
'compromise with CISA or '
'sector-specific ISACs'},
'ransomware': {'data_encryption': 'Possible', 'data_exfiltration': 'Possible'},
'recommendations': ['Follow structured incident response protocols for '
'ransomware',
'Prioritize critical systems for restoration',
'Conduct forensic analysis to identify precursor malware '
'and persistence mechanisms',
'Use offline backups for recovery',
'Engage law enforcement and regulatory agencies for '
'reporting',
'Share indicators of compromise with relevant '
'authorities'],
'references': [{'source': 'CISA #StopRansomware Guide'}],
'regulatory_compliance': {'regulatory_notifications': 'Follow incident '
'response plans for '
'breach disclosures'},
'response': {'communication_strategy': 'Engage internal stakeholders (IT, '
'leadership, cyber insurers) and '
'external agencies (CISA, FBI); follow '
'incident response plans for breach '
'disclosures',
'containment_measures': ['Isolate impacted systems by '
'disconnecting networks at the switch '
'level or physically unplugging devices',
'Take snapshots of cloud volumes for '
'forensic review',
'Use out-of-band communication (e.g., '
'phone calls) to avoid tipping off '
'attackers',
"Power down devices if isolation isn't "
'feasible (risking volatile memory '
'loss)'],
'enhanced_monitoring': 'Examine logs for precursor malware '
'(e.g., Bumblebee, QakBot, Cobalt Strike) '
'and signs of data exfiltration; threat '
'hunting for anomalous activity (e.g., '
'unauthorized Active Directory accounts, '
'suspicious VPN logins, misuse of '
'built-in Windows tools)',
'incident_response_plan_activated': 'Structured approach for '
'detection, containment, '
'eradication, and recovery',
'law_enforcement_notified': 'FBI, U.S. Secret Service (if '
'applicable)',
'recovery_measures': ['Prioritize restoration of critical '
'systems (health, safety, revenue)',
'Rebuild systems using clean images or '
'infrastructure-as-code templates',
'Reconnect systems from offline backups '
'while preventing reinfection'],
'remediation_measures': ['Capture system images, memory dumps, '
'and malware samples for analysis',
'Disable ransomware binaries and remove '
'associated registry entries',
'Disable remote access and reset '
'passwords due to credential theft',
'Identify and remove persistence '
'mechanisms (e.g., rogue accounts, '
'backdoors)'],
'third_party_assistance': 'CISA, FBI, NSA, MS-ISAC'},
'stakeholder_advisories': 'Engage internal stakeholders (IT, leadership, '
'cyber insurers) and external agencies (CISA, FBI, '
'U.S. Secret Service)',
'title': '#StopRansomware Guide Update for Incident Response',
'type': 'Ransomware'}