NIST Publishes Draft Ransomware Risk Management Guidance

The National Institute of Standards and Technology (NIST) is seeking comments on new draft guidance to help businesses protect against ransomware attacks and recover quickly should an attack succeed.

Ransomware attacks on businesses increased sharply in 2020, with many threat actors also exfiltrating data prior to encrypting files. This double extortion tactic pressures victims into paying the ransom to prevent the sale or exposure of data stolen in the attack. Most of the major ransomware operations have adopted this tactic, which has increased the percentage of companies paying ransoms.

Ransomware attacks can cripple businesses causing major financial losses, with many small businesses forced to permanently close following an attack. It is essential for businesses to prepare to ensure recovery will be possible and to limit the harm caused.

The NIST Cybersecurity Framework Profile for Ransomware Risk Management outlines basic measures that businesses can implement to improve their security posture and prevent attacks from succeeding, as well as providing a risk management framework to also ensure a quick response with minimal disruption should an attack succeed. The guidance can be used by businesses that have already adopted the NIST Cybersecurity Framework to improve their risk postures or by any business that needs to implement a risk management framework to deal with ransomware threats.

As with the NIST Cybersecurity Framework, the Ransomware Profile is divided into five categories: Identify, Protect, Detect, Respond, and Recover. Each category includes several subcategories along with selected informative references, with the references pointing to guidance on how to achieve the objective of each category. The Profile also details how each of the Cybersecurity Framework categories applies to ransomware and how ransomware risk can be effectively managed.

“The purpose of the profile is to help organizations identify and prioritize opportunities for improving their ransomware resistance,” explained NIST. “Organizations can use this document as a guide for profiling the state of their own readiness. For example, they can determine their current state and set a target profile to identify gaps to achieve their goal.”

Following the guidance will allow businesses to significantly improve their defenses against ransomware and make it much harder for an attack to succeed. However, even the best defenses can be breached, so it is also essential for businesses to plan for the worst.

Preparation is key to a swift recovery. That requires businesses to develop and test an incident response plan that can be implemented immediately in the event of an attack. An up-to-date list must be maintained that includes the contact information of all individuals, agencies, and third parties that need to be consulted in the event of an attack. It is also essential for businesses to develop and implement a comprehensive backup and recovery strategy to ensure data can be recovered quickly in the event of file encryption and/or data theft.

The draft version of the Ransomware Profile has been released for review, with comments being accepted until July 9, 2021. All comments will be considered and the guidance will be updated, after which there will be a further comment period before the final ransomware profile is published.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of