A pilot program to proactively notify organizations their devices may be vulnerable to ransomware attacks is already bearing fruit, the Cybersecurity and Infrastructure Security Agency said Thursday.

The Ransomware Vulnerability Warning Pilot was unveiled in January 2023 as a program designed to “identify organizations with internet-accessible vulnerabilities commonly associated with known ransomware actors.” 

The program was mandated under the cyber incident reporting legislation President Joe Biden signed into law in 2022. It is run by the Joint Ransomware Task Force, co-led by CISA and the FBI. 

CISA said it made 1,754 notifications last year to organizations with internet-exposed devices vulnerable to attack. Of those, 852 were “patched, implemented a compensating control, or taken offline after notification from CISA.”

CISA officials Sandra Radesky, Stephanie Kennelley and Genevieve Marquardt said in a blog post that the program emphasizes communication with government agencies at all levels and critical infrastructure entities. 

“Organizations participating in this no-cost service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days,” they said. 

“Because the service looks for exposed assets, whether planned or inadvertent, it identifies vulnerabilities that would otherwise go unmanaged.”

CISA’s data shows that the overwhelming number of notifications were to government facilities and organizations in the healthcare sector. 

Government entities — which include K-12 schools and districts, higher education facilities, local government organizations and federal agencies — received 641 notifications while 440 pertained to healthcare. Organizations in the energy, financial services and transportation sectors were next highest.

CISA said it believes the program is increasing the operational costs of ransomware gangs searching for vulnerable systems and “contributing to deterrence by denial.”

The agency uses its expansive “Cyber Hygiene Vulnerability Scanning” program to detect exposed devices at more than 7,600 participating organizations. Overall, they have identified more than three million known vulnerabilities for participants since 2022 — but CISA explained that through industry and expert analysis they are able to whittle that number down to bugs being exploited, including those specifically targeted by ransomware gangs.