CISA gives ransomware victims a heads-up
The Pre-Ransomware Notification Initiative takes advantage of the time between initial penetration and data theft or encryption to notify victims so they can identify and eliminate hackers from their system.
With ransomware incidents accelerating and attackers changing their methods from holding data for ransom to extorting victims by threatening to release data, any advance notice of attacks would boost defense for schools, public health facilities and local government agencies.
This week the Cybersecurity and Infrastructure Security Agency launched a Pre-Ransomware Notification Initiative designed to help organizations more quickly remedy the vulnerabilities ransomware actors are relying on.
The initiative, which CISA officials said has already produced results, relies on taking advantage of the window between when hackers gain initial system access and when they begin to steal or encrypt data. Even with only a few hours’ notice, officials said CISA can help organizations identify and eliminate attackers from their networks before they take systems hostage.
This early warning reduces the “potential loss of data, impact on operations, financial ramifications and other detrimental consequences of ransomware deployment,” Clayton Romans, associate director of the Joint Cyber Defense Collaborative, wrote in a CISA blog post.
Since January, CISA has notified more than 60 entities of early-stage ransomware, including those providing education, energy, health care and public health and water services. Many organizations “identified and remediated the intrusion before encryption or exfiltration occurred,” said Romans.
The notifications are based on insights from the Joint Cyber Defense Collaborative, which gets tips from cybersecurity researchers, infrastructure providers and cyber threat intelligence companies about potential early-stage ransomware activity.
Once a threat is identified, CISA field personnel notify the victim organization and provide specific mitigation guidance. If a network has already been compromised, JCDC works with victims to help them understand the specific threat actor’s tactics, techniques and procedures as well as mitigate the impact of an attack.
JCDC can, for example, help identify data that may have been exfiltrated and uncover intrusion details that will support investigation and remediation, Romans said. It also works with the cybersecurity research community and others to develop advisories on ransomware actors and variants to as part of CISA’s stopransomware.gov program.
“Continuing to enhance our collective cyber defense is contingent upon persistent collaboration and information sharing between partners across government and the private sector,” Romans said. He urged organizations to report ransomware indicators to CISA, the FBI or the U.S. Secret Service.
Announcement of the pre-ransomware notification initiative comes shortly after CISA launched its Ransomware Vulnerability Warning Pilot to identify the most common vulnerabilities exploited in ransomware attacks and warn organizations if their systems already contain these vulnerabilities.
Any organization or individual with information about early-stage ransomware activity is urged to contact CISA at Report@cisa.dhs.gov.