Ransomware attacks against companies and government agencies have become very evident but more are not even disclosed, the Department of Homeland Security’s cyber security agency says in a new blog post.

Many ransomware “infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on,” the Cybersecurity and Infrastructure Security Agency (CISA) says.

The agency urges private sector and government organizations to think of potential ransomware infections as attacks to be prevented rather than just paying off the ransom to regain access to computers and networks.

“We strongly encourage you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?),” the agency says in CISA Insights, a new product for its stakeholders.

Ransomware has infected local government networks in at least several high-profile attacks in the last year or more, including 22 towns in Texas this week, another in Baltimore earlier this year, and another in Atlanta in March 2018. In 2017, the WannaCry virus was used against healthcare companies.

“Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike,” CISA says.

CISA bills itself as the “nation’s risk adviser” and works with the public and private sectors to defend critical infrastructures and make them more secure and resilient to fight off future threats.

The agency puts forth several broad recommendations to help organizations be more resilient against ransomware to “limit damage, and recover smartly and effectively.”

Under the immediate actions category, CISA recommends that organizations back up their data and configurations, patch systems, maintain current security solutions, review and exercise response plans, and learn from ransomware attacks against others.

When a ransomware infection has been discovered, “Don’t Let a Bad Day Get Worse,” CISA recommends, highlighting the need to contact them, the FBI or the Secret Service. The agency says to work with someone who has the experience to help an organization recover, go through the checklist of other organizations that “touch your network,” and “isolate” the infected parts of network. It also suggests prioritizing recovery of systems based on business needs.

Finally, to secure against future threats, CISA makes a number of recommendations, including the waterfront of cyber hygiene such as backing up data, privilege limits, and multifactor authentications. It also says organizations should segment their networks to make it harder for threats to move among systems, make it difficult for hackers to exfiltrate data, and review plans to network recovery.

The first CISA Insights product follows a press release in late July from the agency and several partners, including the Multi-State Information Sharing and Analysis Center, the National Governors Association, and the National Association of State Chief Information Officers, highlighting the increasing number of ransomware attacks against state and local governments.

“The growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries,” the July 29 release said. “Prevention is the most effective defense against ransomware.”