Blog

CISA Moving Further Towards Pre-Emptive Stance with Ransomware Attack Alert System

Mar 31, 2023

JD_ransomware_CISA In the latest of several recent announcements, the U.S. body responsible for cybersecurity is making a clear shift towards pre-emptive over reactionary reporting, alerting and advice for organizations. 

By John E. Dunn 

A defining characteristic of ransomware attacks is the element of surprise. By the time the victim receives the ransom note, it is usually already too late to contain an incident. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced a new pilot project, the Pre-Ransomware Notification Initiative , which it hopes will be able to notify more victims before this happens. 

The premise is that attackers often linger inside networks for some time before striking. This offers a window of opportunity, according to CISA: 

“These early warnings can enable victims to safely evict the ransomware actors from their networks before the actors have a chance to encrypt and hold critical data and systems at ransom.” 

Getting ahead of ransomware sounds like a tall order but CISA said it had already helped 60 organizations since the beginning of 2023 across sectors including energy, healthcare, water treatment and education. 

The Source of the Intelligence 

The announcement doesn’t say where the Pre-Ransomware Notification Initiative gets its intelligence from but some of it is probably fed from the also recently announced Ransomware Vulnerability Warning Pilot (RVWP ).  The rest is based on risk-assessing vulnerabilities using tools that scan critical infrastructure for vulnerabilities that might be exploited by ransomware.  

“Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur,” said CISA. 

It’s not clear how much is preemptive defense based on intelligence about a compromise in progress and how much is just risk-based guesswork. The RVWP itself was established in response to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA ), part of a remarkable flurry of executive orders relating to cybersecurity signed into law by the Biden administration.  

A workable idea?  

The assumption of an early warning is that there is time for one to be given. This has a lot to do with the fact that the groups who initially compromise networks are not always the ones who execute the later attack. Instead, they sell on their access to specialists. 

The handover between one group and another can extend to weeks or months, at least in some cases. That, presumably, gives something like the Pre-Ransomware Notification Initiative time to warn victims if they uncover evidence of the earlier incursion. 

Equally, not all ransomware attacks take their time. Some strike within days. Nevertheless, helping 60 organizations in less than three months is an encouraging start. There are limitations in scope. The initiative is aimed at critical infrastructure, for instance, and is not designed to help the SMEs outside these sectors, for instance.  

Both the Pre-Ransomware Notification Initiative and the RVWP are part of CISA’s larger Stop Ransomware campaign which offers organizations the ability to report incidents and receive ransomware alerts.