CISA MS-ISAC Ransomware Guide Updated for 2023

Ransomware is the leading information security threat that has emerged in recent years, and it’s only getting worse! In the first six months of this year, 1,393 organizations have issued data breach notifications. If this keeps up, and there’s no reason to think it won’t, 2023 will beat the record set in 2021 of 1,862 data breaches reported. Ransomware is a big part of this sad total.

Back in 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released their first Ransomware Guide to try to help organizations respond effectively to this threat. In the last three years, however, ransomware has evolved greatly. Because of this, they have released an updated ransomware guide now titled #StopRansomware Guide. This guide was developed through the U.S. Joint Ransomware Task Force (JRTF) which is co-chaired by the CISA and FBI. The new title was instituted to incorporate the #StopRansomware effort into the title. (#StopRansomware is a one-stop hub for ransomware resources for individuals, businesses and other organizations. The new website is a collaborative effort across the federal government and is the first joint website created to help private and public organizations mitigate their ransomware risk. It contains all the latest ransomware information and advisories produced by federal authorities).

The #StopRansomware Guide has two parts: part 1 concerns ransomware and data extortion prevention best practices, and part 2 is a ransomware and data extortion response checklist. The two parts represent current best practices and recommendations based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the FBI (these are known as the authoring organizations). The changes made from the old guide to this current version include:

  • Added FBI and NSA as co-authors based on their contributions and operational insight.
  • Incorporated the #StopRansomware effort into the title.
  • Added recommendations for preventing common initial infection vectors, including compromised credentials and advanced forms of social engineering.
  • Updated recommendations to address cloud backups and zero trust architecture (ZTA).
  • Expanded the ransomware response checklist with threat hunting tips for detection and analysis.
  • Mapped recommendations to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

In my next series of blogs, I will go into detail about the latest best practices recommendations for ransomware prevention and response that are contained in new #StopRansomware Guide. To get started, here are the initial steps that the guide recommends that all organizations undertake to prepare and protect their facilities, personnel, and customers from cyber and physical security threats and other hazards:

  • Join a sector-based information sharing and analysis center (ISAC), where eligible, such as:
    • MS-ISAC for U.S. State, Local, Tribal, & Territorial (SLTT) Government Entities – MS-ISAC membership is open to representatives from all 50 states, the District of Columbia, U.S. Territories, local and tribal governments, public K-12 education entities, public institutions of higher education, authorities, and any other non-federal public entity in the United States.
    • Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) for U.S. Elections Organizations – (See the National Council of ISACs for more information).
  • Contact CISA at to collaborate on information sharing, best practices, assessments, exercises, and more.
  • Contact your local FBI field office for a list of points of contact (POCs) in the event of a cyber incident.

Remember, ransomware groups such a CLOP are ruthless, talented and waiting to pounce on any organization, government or private sector, that they are able to compromise. Get started today on educating your personnel and preparing to resist and respond to ransomware attacks.