Hosted by JANUS, this guide was developed through the U.S. Joint Ransomware Task Force (JRTF) which is co-chaired by CISA and FBI. It is an interagency, collaborative effort to combat the growing threat of ransomware attacks. The JRTF was launched in response to a series of high-profile ransomware attacks on U.S. critical infrastructure and government agencies.

The JRTF:

• Coordinates and streamlines the U.S. Government’s response to ransomware attacks and facilitates information sharing and collaboration between government agencies and private sector partners.
• Ensures operational coordination for activities such as developing and sharing best practices for preventing and responding to ransomware attacks, conducting joint investigations and operations against ransomware threat actors, and providing guidance and resources to organizations victimized by ransomware.
• This represents a significant step forward in enabling unity of effort across the U.S Government’s efforts to address the growing threat of ransomware attacks.

This guide is an update to the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware Guide released in September 2020 (see What’s New) and was developed through the JRTF.
This guide includes two primary resources:

• Part 1: Ransomware and Data Extortion Prevention Best Practices
• Part 2: Ransomware and Data Extortion Response Checklist

Part 1 provides guidance for all organizations to reduce the impact and likelihood of ransomware incidents and data extortion, including best practices to prepare for, prevent, and mitigate these incidents. Prevention best practices are grouped by common initial access vectors. Part 2 includes a checklist of best practices for responding to these incidents.

These ransomware and data extortion prevention and response best practices and recommendations are based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), hereafter referred to as the authoring organization. The audience for this guide includes information technology (IT) professionals and others within an organization involved in developing cyber incident response policies and procedures or coordinating the cyber incident response.

What’s New
These ransomware and data extortion prevention and response best practices and recommendations are based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), hereafter referred to as the authoring organization. The audience for this guide includes information technology (IT) professionals and others within an organization involved in developing cyber incident response policies and procedures or coordinating the cyber incident response.

• Added FBI and NSA as co-authors based on their contributions and operational insight.
• Added recommendations for preventing common initial infection vectors, including compromised credentials and advanced forms of social engineering.
• Updated recommendations to address cloud backups and zero trust architecture (ZTA).
• Expanded the ransomware response checklist with threat-hunting tips for detection and analysis.
• Mapped recommendations for CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).