Cybersecurity and Infrastructure Security Agency (CISA) | Cybersecurity and Infrastructure Security Agency (CISA)
Over the past several years, ransomware attacks have caused extraordinary harm to American organizations: schools forced to close, hospitals required to divert patients, companies across all sectors facing operational disruption and expending untold sums on mitigation and recovery. At CISA, we are working with partners to take every possible step to reduce the prevalence and impact of ransomware attacks. We recently announced an important initiative to help organizations more quickly fix vulnerabilities that are targeted by ransomware actors. Today, we’re excited to announce a related effort that is already showing impact in actually reducing the harm from ransomware intrusions: our Pre-Ransomware Notification Initiative. Like our work to reduce the prevalence of vulnerabilities, this effort is coordinated as part of our interagency Joint Ransomware Task Force.
| Report RansomwareWe urge organizations to report observed activity, including ransomware indicators of compromise and tactics, techniques, and procedures, to CISA or our federal law enforcement partners. You can find information on reporting at stopransomware.gov. |
This remarkable effort relies on two key elements. First, our Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. Without these tips, there are no notifications! Any organization or individual with information about early-stage ransomware activity is urged to contact us at Report@cisa.dhs.gov. Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance. Where a tip relates to a company outside of the United States, we work with our international CERT partners to enable a timely notification.
Although we’re in the early days, we’re already seeing material results: since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.
In cases where ransomware actors have already encrypted a network and are holding data and systems for ransom, JCDC works closely with the victim organizations to provide threat actor tactics, techniques, and procedures (TTPs) as well as guidance to help reduce the impact of an attack. For example, we have provided information to help identify the data that may have been exfiltrated from an affected entity’s network as well as details of the intrusion to support investigative and remediation efforts. JCDC also works with the cybersecurity research community and others to develop cybersecurity advisories on ransomware actors and variants to enable improved network defense at scale as part of our ongoing #StopRansomware campaign.
Continuing to enhance our collective cyber defense is contingent upon persistent collaboration and information sharing between partners across government and the private sector. To enable the broader cyber community to benefit from valuable threat intelligence, we urge organizations to report observed activity, including ransomware indicators of compromise and TTPs, to CISA or our federal law enforcement partners, including the FBI and the U.S. Secret Service. You can find information on ransomware reporting and view additional resources to manage ransomware risk at stopransomware.gov.
Original source can be found here