Ransomware Guidance and Resources


Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.

Malicious actors continue to adjust and evolve their ransomware tactics over time, and CISA analysts remain vigilant in maintaining awareness of ransomware attacks and associated tactics, techniques, and procedures across the country and around the world: See CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak

Looking to learn more about this growing cyber threat? The NEW Ransomware Guide is a great place to start. The Guide, released in September 2020, represents a joint effort between CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The joint Ransomware Guide includes industry best practices and a response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans. 

In January 2021, CISA unveiled the Reduce the Risk of Ransomware Campaign to raise awareness and instigate actions to combat this ongoing and evolving threat. The campaign is a focused, coordinated and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate ransomware risk.

Ransomware Guide Ransomware Outbreak Stakeholder Toolkit K-12 Resources
Ransomware Guide CISA Insights - Ransomware Outbreak Ransomware
Campaign Toolkit
K-12 Resources

We invite you to click on resources below to find additional Ransomware-related information. These resources are designed to help individuals and organizations prevent attacks that can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. We also encourage you to take a look at some of the other resources made available by our interagency partners, namely NIST at the Department of Commerce, as well as the National Cyber Investigative Joint Task Force.

Alerts & StatementsAlerts and Statements
Official CISA updates to help stakeholders guard against the ever-evolving ransomware threat environment. These alerts are geared toward system administrators and other technical staff to bolster their organization’s security posture.

Checklists and GuidesGuides and Services
Tips and best practices for home users, organizations, and technical staff to guard against the growing ransomware threat.

Fact Sheets & InfographicsFact Sheets and Infographics
Easy-to-use, straightforward information to help organizations and individuals better understand the threats from and the consequences of a ransomware attack. 

Trainings & WebinarsTrainings and Webinars
This information provides technical and non-technical audiences, including managers, business leaders, and technical specialists with an organizational perspective and strategic overview.

Ransomware FAQs

What is ransomware and how do malicious cyber actors use ransomware to attack their victims?

Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.

Malicious actors continue to adjust their ransomware tactics over time, to include pressuring victims for payment by threatening to release stolen data if they refuse to pay, and publicly naming and shaming victims as secondary forms of extortion. Malicious actors engage in lateral movement to target critical data and propagate ransomware across entire networks. These actors also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations. 

Who is at risk from a ransomware attack?

Anyone with a computer connected to the internet and anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. 

What are the impacts of ransomware?

Ransomware can be devastating to an individual or an organization. Some victims pay to recover their files, but there is no guarantee that they will recover their files if they do. Recovery can be a difficult process that may require the services of a reputable data recovery specialist.

Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. The monetary value of ransom demands has increased, with some demands exceeding $1 million. Ransomware incidents have become more destructive and impactful in nature and scope. The economic and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, have also proven challenging for organizations large and small.

Who are malicious ransomware actors?

Malicious actors can be nation-state actors trying to cause harm to critical infrastructure, or cybercriminals trying to enrich themselves.

What are some mitigations against ransomware?

CISA recommends the following precautions to protect users against the threat of ransomware:

  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Back up data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when using devices that connect to the Internet. Read Good Security Habits for additional details.

What are other best practices against ransomware?

In addition, CISA also recommends that organizations employ the following best practices:

  • CISA released a guide for parents, teachers and school administrators that provides information to prevent or mitigate malicious cyber actors from targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, theft of data, and the disruption of learning services.
  • Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application allow listing to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
 

    Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

    Please share your thoughts.
    We recently updated our ransomware product survey and we would welcome your anonymous feedback. 

    Was this webpage helpful?  Yes  |  Somewhat  |  No