CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023.
Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred.
In order to develop the pre-ransomware notifications, CISA established the Joint Cyber Defense Collaborative (JCDC) to "unify cyber defenders from organizations worldwide". The team proactively gathers, analyzes, and shares actionable cyber risk information.
The success of the operation relies on a few key factors:
- Sharing intelligence by the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity.
- Getting that information to the victim organization and providing specific guidance about containing the threat.
- The time cybercriminals take from the initial security breach to the full-fledged ransomware attack.
Basically, the more information organizations give about early-stage ransomware activity, the better the information the JCDC can provide. This information also helps to keep lists like the known to be exploited vulnerabilities catalog up to date and helps create ransomware vulnerability warnings which inform organizations that a vulnerability used by ransomware threat actors is present on their network.
But how do pre-ransomware notifications work in real life?
Let’s take the fake IRS mail we reported about last week as an example. My colleagues found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. In reality, the attachment contains a malicious macro. Enabling the content of the attachment will result in Emotet being downloaded onto the system.
The JCDC can in turn share this information with potential victims. "Have you seen this mail? Did anyone open the attachment? Did they use the “Enable Content” button? Here is what you can do to prevent your systems from getting encrypted. These are the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) you need to look for. And this call-to-action can be pretty specific because they know that any potential victims should be looking for Emotet.
For many non-profit organizations that can’t afford their own security team or an external Managed Detection and Response (MDR) service, this is very helpful and, as CISA concludes, has proven its usefulness. While the pre-ransomware notifications service is aimed at US organizations, JCDC works with international Computer Emergency Readiness Team (CERT) partners to enable a timely notification when it concerns a company outside the US.
The more information we share, the better the information JCDC can provide gets. Any organization or individual with information about early-stage ransomware activity is urged to contact [email protected]. If your organization is interested in participating in these collaborative efforts to stop ransomware, please visit cisa.gov/JCDC-faqs or email [email protected].
Every US ransomware incident should be reported to the US government. You can find information on reporting at stopransomware.gov.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.