Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs

Over the past several years, ransomware attacks have caused extraordinary harm to American organizations: schools forced to close, hospitals required to divert patients, companies across all sectors facing operational disruption and expending untold sums on mitigation and recovery. At CISA, we are working with partners to take every possible step to reduce the prevalence and impact of ransomware attacks. We recently announced an important initiative to help organizations more quickly fix vulnerabilities that are targeted by ransomware actors. Today, we’re excited to announce a related effort that is already showing impact in actually reducing the harm from ransomware intrusions: our Pre-Ransomware Notification Initiative. Like our work to reduce the prevalence of vulnerabilities, this effort is coordinated as part of our interagency Joint Ransomware Task Force.

We know that ransomware actors often take some time after gaining initial access to a target before encrypting or stealing information, a window of time that often lasts from hours to days. This window gives us time to warn organizations that ransomware actors have gained initial access to their networks. These early warnings can enable victims to safely evict the ransomware actors from their networks before the actors have a chance to encrypt and hold critical data and systems at ransom. Early warning notifications can significantly reduce potential loss of data, impact on operations, financial ramifications, and other detrimental consequences of ransomware deployment.

This remarkable effort relies on two key elements. First, our Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. Without these tips, there are no notifications! Any organization or individual with information about early-stage ransomware activity is urged to contact us at Report@cisa.dhs.gov. Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance. Where a tip relates to a company outside of the United States, we work with our international CERT partners to enable a timely notification. 

Although we’re in the early days, we’re already seeing material results: since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.

In cases where ransomware actors have already encrypted a network and are holding data and systems for ransom, JCDC works closely with the victim organizations to provide threat actor tactics, techniques, and procedures (TTPs) as well as guidance to help reduce the impact of an attack. For example, we have provided information to help identify the data that may have been exfiltrated from an affected entity’s network as well as details of the intrusion to support investigative and remediation efforts. JCDC also works with the cybersecurity research community and others to develop cybersecurity advisories on ransomware actors and variants to enable improved network defense at scale as part of our ongoing #StopRansomware campaign.

Continuing to enhance our collective cyber defense is contingent upon persistent collaboration and information sharing between partners across government and the private sector. To enable the broader cyber community to benefit from valuable threat intelligence, we urge organizations to report observed activity, including ransomware indicators of compromise and TTPs, to CISA or our federal law enforcement partners, including the FBI and the U.S. Secret Service. You can find information on ransomware reporting and view additional resources to manage ransomware risk at stopransomware.gov.

JCDC is a public-private cybersecurity collaborative that leverages new authorities granted by Congress in the 2021 National Defense Authorization Act to unite the global cyber community in the collective defense of cyberspace. CISA welcomes all critical infrastructure organizations and entities with cybersecurity expertise and visibility to participate in our collaboration efforts. If your organization is interested in participating in collaborative efforts to stop ransomware, please visit cisa.gov/JCDC-FAQsor email cisa.jcdc@cisa.dhs.gov.