White House Memorandum to Corporate Executives on Ransomware

Earlier this morning, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) widely disseminated to industry partners across all sectors a memorandum from Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, captioned, “What We Urge You To Do To Protect Against The Threat of Ransomware.”

The recent cyber attacks on the Colonial Pipeline Company, the principal supplier of fuels for the southeastern and eastern regions of the United States, and JBS USA, a leading producer of meats in the United States, underscore the severity of the ransomware threat and the importance of effective and sustained risk mitigating actions.

In a ransomware attack, the perpetrator compromises a targeted network and introduces a form of malicious software that encrypts programs and files to prevent their access and use. Simultaneously, a demand for a ransom payment is made – with a deadline set – to receive the decryption code. In the attack against Colonial Pipeline, the perpetrator also exfiltrated – stole – a high volume of data files and threatened publication if the ransom demand was not met by the deadline set. Use of this extortion tactic is expanding as well.

A key point to emphasize on the ransomware threat is that, generally, perpetrators exploit known vulnerabilities and common weaknesses in cybersecurity hygiene. All organizations should review the effectiveness of their implementation of fundamental cybersecurity measures. The White House memorandum, which accompanies this advisory as an attachment, reinforces and expands upon this fundamental preparedness measure.

Ransomware points addressed by the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology follows.

• “The number and size of ransomware incidents have increased significantly, and strengthening our nation’s resilience from cyberattacks – both private and public sector – is a top priority of the President’s.”
• The Federal Government is “working with like-minded partners around the world to disrupt and deter ransomware actors.”
• The ongoing efforts encompass:
  • Disruption of ransomware networks;
  • Engagement with international partners to hold countries that harbor ransomware actors accountable; and
  • Development of cohesive and consistent policies towards ransom payments, with enabling of capabilities for rapid tracing and interdiction of virtual currency proceeds.
• The memorandum specifically cites the “critical responsibility” of private sector organizations “to protect against these threats.”
• Highlighted as the “most important takeaway from the recent spate of ransomware attacks” is a key distinction: “companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”
• To ensure understanding and effectively address the risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans” – in order to assure the ability to continue or quickly restore operations.
• Under the heading, “What We Urge You To Do Now,” the memorandum delineates “a small number of highly impactful steps to help you focus and make rapid progress on driving down risk.”

Ransomware preventions steps:

1. Implement the best practices listed in the President’s Executive Order on Improving the Nation’s Cybersecurity. These practices are:
   1. Multifactor authentication (because passwords alone are routinely compromised);
   2. Endpoint detection and response (to hunt for malicious activity on a network and block it);
   3. Encryption (so if data is stolen, it is unusable); and
   4. A skilled, empowered security team (to patch rapidly, and share and incorporate threat information in defenses).
   5. Implementing and sustaining these practices will significantly reduce the risk of a successful cyber attack.
2. Backup data, system images, and configurations, regularly test them, and keep the backups offline. Ensure that backups are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if network data is encrypted with ransomware, the targeted organization can restore systems.
3. Update and patch systems promptly – including operating systems, applications, and firmware. Consider using a centralized patch management system; and use a risk-based assessment strategy to drive your patch management program.
4. Test the organizational cyber incident response plan. Pose core questions as a means of reviewing and enhancing the cyber incident response plan:
   1. Can the organization sustain business operations without access to certain systems?
   2. If so, for how long?
   3. Would operational systems be shut down if business systems such as billing were offline?
5. Check the organizational cybersecurity team’s work. Use a 3rd party penetration tester to test the cybersecurity of systems and the ability to defend against a sophisticated attack.
6. Segment networks. It is critically important that corporate business functions and manufacturing/production operations are separated. Internet access to operational systems must be carefully filtered and limited. Identify links between these networks and develop workarounds or manual controls to ensure operational networks can be isolated and continue functioning if the corporate network is compromised. Regularly test contingency plans, such as manual controls, so that safety critical functions can be maintained during a cyber incident.

The White House memorandum concludes with the commitment that the “federal government stands ready to help you implement these best practices.” In support of this purpose, additional resources are listed:

• FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks; and
• CISA – RANSOMWARE GUIDANCE AND RESOURCES.