Release of CISA/MS-ISAC Ransomware Guide

Critical Infrastructure Colleagues and Partners,

As the nation’s risk advisor, the Cybersecurity and Infrastructure Security Agency (CISA) is committed to helping our state, local, tribal, and territorial (SLTT) and industry partners defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. One-way CISA works to enhance our partners’ ability to manage cyber risk is through sharing best practices that are actionable for network defense, including practices to address the multi-faceted risk posed by ransomware.

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s SLTT government entities and critical infrastructure organizations. Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion. The monetary value of ransom demands has also increased, with some demands exceeding US $1 million.

Ransomware incidents have become more destructive and impactful in nature and scope. Malicious actors engage in lateral movement to target critical data and propagate ransomware across entire networks. These actors also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations. The economic and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, have also proven challenging for organizations large and small.

Today, CISA is announcing the release of our joint Ransomware Guide, developed in coordination with the Multi-State Information Sharing and Analysis Center (MS-ISAC)®. The Ransomware Guide is now available on CISA’s website at

This resource was developed with a target audience of SLTT governments and small-to-midsize businesses but is widely applicable for all CISA partners.

The Ransomware Guide has two parts:

First, the Guide focuses on best practices for ransomware prevention, detailing practices that our partners should continuously engage in to help manage the risk posed by ransomware and other cyber threats. This information is intended to proactively set our partners up for success if they are confronted with malicious cyber activity associated with ransomware. These ransomware best practices and recommendations are based on operational insight from CISA and the MS-ISAC.

Second, the Guide includes a step-by-step prioritized ransomware response checklist that organizations can use as an annex to their cyber incident response plans. Proactive risk management is the focus of CISA’s assistance to partners. If your organization should become impacted by a cyber incident it is important to have an agreed-upon plan and communications strategy, in-advance, that helps your organization get back to business in a coordinated and efficient manner. It includes steps an organization should take if impacted by a ransomware incident and outlines how to request assistance from the Federal Government. All organizations need a plan.

Outside of the development of this Ransomware Guide, CISA has also worked extensively with our SLTT, industry, federal and international partners and allies to share information around the topic of ransomware. This has been mutually beneficial in helping us further share and apply this information to support capabilities that help defend public and private organizations, including SLTT governments and election organizations. Managing the risk associated with ransomware and other cyber threats is especially important in the era of COVID-19 with the quick and overwhelming transition of many organizations to remote work. To that end, CISA has released guidance to help organizations manage the risks that this transition poses, with ransomware being a prominent threat taken into account. CISA has also engaged in proactive outreach to warn SLTT and industry partners regarding critical vulnerabilities present on their networks that could enable malicious cyber activity and eventual ransomware infection.

CISA understands that ransomware is one of the most critical threats facing our partners and stands ready to assist. If you have questions or would like to learn more about cyber risk management resources available from CISA, please contact us.

State, local, tribal, and territorial (SLTT) organizations:

Private sector organizations:

Thank you,

Robert Devitt

Management & Program Analyst, Stakeholder Engagement Division

Cybersecurity and Infrastructure Security Agency

O: 202-705-6588 | M: 202-615-9403 |