The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance for handling ransomware, after a scourge of attacks have hit hospitals, school districts and local governments across the country.

In its release, CISA — an entity within the Department of Homeland Security charged with securing the nation’s critical infrastructure from cyberattacks — said ransomware attacks have “rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks.” The guidance comes just two days after malicious actors launched ransomware attacks on over 20 Texas municipalities, which Texas officials called a “coordinated ransomware attack."

The release contains 15 steps under three categories: Actions for today, actions to recover if impacted, and actions to secure your environment going forward. CISA wrote that the plan is meant to “to help organizations limit damage, and recover smartly and effectively."

The guidance is the first part of a new CISA program providing recommendations for defense against different cyberthreats, dubbed “CISA Insights.” CISA wrote that defending organizations from ransomware is a “chief priority" for the agency.

To protect against ransomware, CISA recommends backing up data and systems, while keeping those back-ups disconnected from the internet. It also recommends updating systems and reviewing incident response plans.

CISA wrote that organizations, if attacked, should review any connections that the compromised network has to networks of business partners. To secure a network going forward, CISA said to segment networks to make it harder for malicious actors to move throughout the networks — minimizing the damage they can do — as well as create containment strategies to prevent data from being removed or copied.

CISA also slighted entities that have paid off ransomware attackers, asking “do you really trust a cybercriminal?” Organizations across the country have tackled recovery in different ways. Some have opted to pay the ransom, while others have declined to pay and rebuilt their network infrastructure.

In perhaps the highest profile ransomware attack this year, the city of Baltimore’s network was attacked in May. The city has opted to rebuilt its infrastructure, costing millions. But, some cities in Florida opted to pay the ransom. These attacks, CISA warned, are just the tip of the iceberg.

“That’s only what we’re seeing — many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on,” CISA wrote. “We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network.”