Federal officials urged state and local government and education leaders this week to focus on some of the Federal government’s top existing resources in the fight against ransomware attacks – including one principle that’s easy to say but harder to do – don’t meet ransom demands.

During a FedInsider online event on Oct. 4, David Stern from the Cybersecurity and Infrastructure Security Agency (CISA), along with the Government Accountability Office’s (GAO) Dave Hinchman, laid out the ransomware landscape for state, local, tribal, and territorial (SLTT) entities as well as K-12 institutions, and pointed to Federal resources than can help.

Since the beginning of the coronavirus pandemic, schools and SLTTs have seen an unprecedented number of adversaries demanding ransom in exchange for stolen data.

The Feds’ advice – don’t pay them.

“Even if you do get encrypted, we do not recommend paying ransom. This supports the activities of organized criminal groups that really can’t be trusted,” said Stern, an employee within CISA’s Joint Cyber Defense Collaborative.

He emphasized the dangers posed by attackers, and warned that they are “very sophisticated and professionalized organizations.”

“It’s important to understand this because they’re making an investment in their activities, and they need to monetize their intrusions into your organization and the sensitive data to break even. So, the best thing you can do to interrupt that is not to pay,” Stern said to the online audience of state and local leaders as well as K-12 educators.

To prepare for how to defend against attacks, the first stop needs to be the Federal government’s stopransomware.gov site, said Hinchman, who is Acting Director of Information and Cybersecurity at GAO.

“Internally there’s a lot of good practices we can develop in our own organizations that will help,” he said.

Hinchman ticked off some of the main actions that SLTTs and educational institutions can take – including implementing user training, running phishing exercises, making offline backups of data, and installing multifactor authentication.

Finally, he drilled into the importance of just having a plan. Similar to going to war, he said, making a plan for the first five to 15 minutes of action is crucial, Hinchman said.

“Establishing an incident response plan and a contingency plan that are well documented, and – most importantly – exercised so that people have the muscle memory,” Hinchman said. “When over a long weekend an attack happens, the person who’s on the spot knows what to do right away and can start putting the plan in action.”

Read More About