Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



CISA Gets Proactive With New Pre-Ransomware Alerts

CISA has sent notifications to more than 60 organizations as part of a new initiative to alert entities of early-stage ransomware attacks.

Ransomware Alerts

The US Cybersecurity and Infrastructure Security Agency (CISA) this week announced a new initiative to alert organizations of early-stage ransomware attacks.

Since the start of the year, the agency has notified more than 60 organizations in the energy, education, healthcare, water/wastewater, and other sectors. Many of these organizations were able to mitigate the attack before data was encrypted and exfiltrated.  

A proactive cyber defense capability, pre-ransomware notifications are meant to warn organizations that they were breached, so that they can evict threat actors from their networks before file-encrypting ransomware is deployed.

“We know that ransomware actors often take some time after gaining initial access to a target before encrypting or stealing information, a window of time that often lasts from hours to days. This window gives us time to warn organizations that ransomware actors have gained initial access to their networks,” Joint Cyber Defense Collaborative (JCDC) associate director Clayton Romans notes.

By taking immediate action when receiving an early warning, organizations can reduce potential data loss, avoid impact on operations, and reduce financial impact and other detrimental consequences.

The notifications, Romans says, are sent based on tips received from the cybersecurity research community, threat intelligence companies, and infrastructure providers. Once a tip is received, CISA’s field personnel notifies the victim organization and provides it with mitigation instructions.

If the victim is an entity outside the US, CISA works with international CERT partners to deliver the notification.

Advertisement. Scroll to continue reading.

“In cases where ransomware actors have already encrypted a network and are holding data and systems for ransom, JCDC works closely with the victim organizations to provide threat actor tactics, techniques, and procedures (TTPs) as well as guidance to help reduce the impact of an attack,” Romans explains.

CISA urges organizations to report observed ransomware attacks, including indicators of compromise and TTPs, to help prepare mitigation guidance for future attacks.

Related: Cyber Insights 2023 | Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.