Stop Ransomware Guide May 2023


Ransomware is a form of malware designed to encrypt files on a device, rendering them and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful and have also exfiltrated victim data and pressured victims to pay by threatening to release the stolen data. The application of both tactics is known as “double extortion.” In some cases, malicious actors may exfiltrate data and threaten to release it as their sole form of extortion without employing ransomware.

These ransomware and associated data breach incidents can severely impact business processes by leaving organizations unable to access necessary data to operate and deliver mission-critical services. The economic and reputational impacts of ransomware and data extortion have proven challenging and costly for organizations of all sizes throughout the initial disruption and, at times, extended recovery.

This guide is an update to the Joint Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC) Ransomware Guide released in September 2020 (see What’s New) and was developed through the JRTF. This guide includes two primary resources:

  • Part 1: Ransomware and Data Extortion Prevention Best Practices
  • Part 2: Ransomware and Data Extortion Response Checklist

Part 1 provides guidance for all organizations to reduce the impact and likelihood of ransomware incidents and data extortion, including best practices to prepare for, prevent, and mitigate these incidents. Prevention best practices are grouped by common initial access vectors. Part 2 includes a checklist of best practices for responding to these incidents.

These ransomware and data extortion prevention and response best practices and recommendations are based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), hereafter referred to as the authoring organizations. The audience for this guide includes information technology (IT) professionals as well as others within an organization involved in developing cyber incident response policies and procedures or coordinating cyber incident response.

The authoring organizations recommend that organizations take the following initial steps to prepare and protect their facilities, personnel, and customers from cyber and physical security threats and other hazards:

  • Join a sector-based information sharing and analysis center (ISAC), where eligible, such as:
  • MS-ISAC for U.S. State, Local, Tribal, & Territorial (SLTT) Government Entities – MS-ISAC membership is open to representatives from all 50 states, the District of Columbia, U.S. Territories, local and tribal governments, public K-12 education entities, public institutions of higher education, authorities, and any other non-federal public entity in the United States.
  • Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) for U.S. Elections Organizations –

See the National Council of ISACs for more information.

  • Contact CISA at to collaborate on information sharing, best practices, assessments, exercises, and more.
  • Contact your local FBI field office for a list of points of contact (POCs) in the event of a cyber incident.

Engaging with peer organizations and CISA enables your organization to receive critical and timely information and access to services for managing ransomware and other cyber threats.
What’s New
Since the initial release of the Ransomware Guide in September 2020, ransomware actors have accelerated their tactics and techniques.

To maintain relevancy, add perspective, and maximize the effectiveness of this guide, the following changes have been made:

  • Added FBI and NSA as co-authors based on their contributions and operational insight.
  • Incorporated the #StopRansomware effort into the title.
  • Added recommendations for preventing common initial infection vectors, including
  • compromised credentials and advanced forms of social engineering.
  • Updated recommendations to address cloud backups and zero trust architecture (ZTA).
  • Expanded the ransomware response checklist with threat hunting tips for detection and
  • analysis.
  • Mapped recommendations to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

Leave a Reply

Your email address will not be published. Required fields are marked *