By Clayton Romans – Over the past several years, ransomware attacks have caused extraordinary harm to American organizations: schools forced to close, hospitals required to divert patients, companies across all sectors facing operational disruption and expending untold sums on mitigation and recovery. At CISA, we are working with partners to take every possible step to reduce the prevalence and impact of ransomware attacks. We recently announced an important initiative to help organizations more quickly fix vulnerabilities that are targeted by ransomware actors. Today, we’re excited to announce a related effort that is already showing impact in actually reducing the harm from ransomware intrusions: our Pre-Ransomware Notification Initiative. Like our work to reduce the prevalence of vulnerabilities, this effort is coordinated as part of our interagency Joint Ransomware Task Force.

We know that ransomware actors often take some time after gaining initial access to a target before encrypting or stealing information, a window of time that often lasts from hours to days. This window gives us time to warn organizations that ransomware actors have gained initial access to their networks. These early warnings can enable victims to safely evict the ransomware actors from their networks before the actors have a chance to encrypt and hold critical data and systems at ransom. Early warning notifications can significantly reduce potential loss of data, impact on operations, financial ramifications, and other detrimental consequences of ransomware deployment.

This remarkable effort relies on two key elements. First, our Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. Without these tips, there are no notifications! Any organization or individual with information about early-stage ransomware activity is urged to contact us at Report@cisa.dhs.gov. Once we receive a notification, our field personnel across the country get to work notifying the victim organization and providing specific mitigation guidance. Where a tip relates to a company outside of the United States, we work with our international CERT partners to enable a timely notification.

Although we’re in the early days, we’re already seeing material results: since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.  Read On: