The National Cyber Investigative Joint Task Force (NCIJTF) on Friday released a joint-sealed ransomware factsheet detailing common attack techniques and means to ensure prevention and mitigation.
The factsheet has been developed by an interagency group of experts in ransomware, from more than 15 government agencies, and is meant to help increase awareness on the threat that ransomware poses to critical infrastructure.
The two-page document explains that, in addition to encrypting the data on victim systems to make it unusable, ransomware operators might also pressure victims into paying the ransom by threatening to destroy the data or release it to the public.
Ransomware attacks affect all sectors, including state, local, tribal, and territorial governments, but also impact hospitals, police, fire departments, municipalities, and other critical infrastructure.
Common ransomware infection vectors, the document explains, include email phishing campaigns (in which victims receive messages with malicious attachments or links to ransomware), remote desktop protocol (RDP) misconfigurations, and software vulnerabilities.
Ransomware has already had a great impact on the public sector, yet the total costs associated with a ransomware infection are often difficult to calculate, as they involve not only the ransom paid, but also recovery and possibly additional costs.
While one U.S. county ended up paying $132.000 to Ryuk operators to recover encrypted systems, another spent $1 million to rebuild its systems using new equipment instead of paying a $1.2 million ransom.
One U.S. city that refused to pay the 13 Bitcoin (approximately $76,000) ransom to Robin Hood ransomware operators, however, ended up spending more than $9 million to restore systems and services.
Using multi-factor authentication, ensuring that systems are always updated and patched, and keeping data, system images, and configurations backed up should help minimize risks associated with ransomware.
The FBI says that ransomware victims should not pay the ransom, as this does not guarantee that data is recovered, but instead encourages cybercriminals to target more individuals and organizations. Victims are encouraged to report attacks, to help track ransomware operators.
Related: CISA Warns Organizations About Attacks on Cloud Services
Related: FBI, CISA, ODNI Describe Response to SolarWinds Attack
Related: CISA, FBI Warn of Attacks Targeting U.S. Think Tanks