The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is launching its Pre-Ransomware Notificaiton Initiative designed to help organizations thwart ransomware attacks in the early stages of incidents as ransomware actors dwell in a victim’s environment before deploying the ransomware.
According to CISA, that window of time–which can last from hours to days–gives the agency enough time to warn organizations that ransomware actors have gained initial access to their networks. Such a warning could help victims kick the threat actors out of their environment before they have a chance to encrypt data and hold it hostage for a ransom payment.
The agency says the effort relies on the Joint Cyber Defense Collaborative (JCDC)–a public-private partnership leveraging the global cyber community to help defend networks– and tips from the cybersecurity research community, infrastructure providers and threat intelligence companies about potential early-stage ransomware activity.
Once the agency is notified, field personnel across the country work to notify the victim and provide specific mitigation guidance. Where a tip relates to a company outside of the U.S., CISA works with its international counterparts to notify organizations.
According to CISA, the agency has already notified over 60 entities in energy, healthcare, water/wastewater/ education and other sectors about potential pre-ransomware intrusions, and many of them have confirmed the intrusion and mitigated the attack before encryption of exfiltration of data occurred.
In cases where threat actors have already encrypted data, the JCDC will help the victim organization recover and reduce the impact of an attack. These actions include providing information to help identify the data that may have been exfiltrated from a victim’s network and, as well as details of the intrusion to support investigate and remediation efforts, the agency says.
This activity will also help agencies create cybersecurity advisories on ransomware actors and variants to enable network defense at scale as part of CISA”s ongoing campaign against ransomware.
However, to make this initiative work, organizations must report observed activity, including ransomware indicators of compromise and tactics, techniques and procedures (TTPs) to CISA, the FBI and U.S. Secret Service.
Any organization or individual with information about early-stage ransomware activity is urged to contact CISA at [email protected].
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!