Sorry, you need to enable JavaScript to visit this website.
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

  1. Home
  2. Cybersecurity
  3. Ransomware

Ransomware

Get Started

Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.

Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Malicious actors engage in lateral movement to target critical data and propagate ransomware across entire networks. These actors also increasingly use tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for impacted organizations.

Paying the ransom does not guarantee that your organization’s files will be decrypted and that you can resume regular business operations. The most important part of ransomware defense is to implement strong cybersecurity controls to prevent ransomware incidents from occurring.

Ransomware image

Report ransomware

Stop ransomware icon

Every ransomware incident should be reported to the U.S. government. Victims of ransomware incidents can report their incident to the FBI, CISA, or the U.S. Secret Service. A victim only needs to report their incident once to ensure that all the other agencies are notified.

You can report incidents through CISA's reporting portal. To guide incident reporters through the reporting process, CISA has released a voluntary cyber incident reporting resource. It helps entities understand "who" should report an incident, "why and when" they should report, as well as "what and how to report."

More Ransomware Resources

#StopRansomware Guide

This document is a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. This publication was developed through the Joint Ransomware Task Force (JRTF), an interagency body established by Congress in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to ensure unity of effort in combating the growing threat of ransomware attacks.

Ransomware Risk Management: A Cybersecurity Framework Profile

This Ransomware Profile identifies the NIST Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The Profile and Companion Quick Start Guide can be used to manage the risk of ransomware events.

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an advisory to alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments.

Ransomware Readiness Assessment

The Ransomware Readiness Assessment is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend against and recover from a ransomware incident. After completing this evaluation, the organization will receive reports that present the assessment results in both a summarized and detailed manner.

Ransomware Resources

Library of additional NIST-authored ransomware publications.

NTIA Initiatives