CISA ransomware warning program has sent out more than 2,000 alerts

The Cybersecurity and Infrastructure Security Agency’s vulnerability warning program has issued more than 2,000 alerts to date to organizations that are running software with vulnerabilities being exploited by ransomware gangs, the agency’s director, Jen Easterly, said Wednesday.

Currently running in a pilot phase, the program is mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and aims to reduce the number of ransomware attacks by getting the owners and operators of vulnerable systems to patch them before they can be infiltrated. 

“The warning pilot is focused on reducing the prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” Easterly said at an event hosted by the Institute for Security and Technology.

Easterly said that since the pilot was launched in January of last year, it has expanded to include CISA’s database of known exploited vulnerabilities as well as common misconfigurations that can be linked to ransomware attacks. 

In a Thursday blog about the warning pilot, CISA found that of the more than 1,700 notifications of vulnerable devices in 2023, 49% were mitigated through either patching, taking offline, or through other measures. The blog also said organizations reduce cyber risk when using CISA’s free cyber hygiene vulnerability scanning service, which monitors the web for vulnerable devices.

“Organizations participating in this no-cost service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days,” CISA said.

Though breaches carried out by state-backed hackers tend to garner the most attention, ransomware attacks are arguably a more immediate, urgent threat. A recent ransomware attack on the payment processor Change Healthcare crippled parts of the U.S. health care system, and on Monday the company warned that the sensitive and personal health information stolen in the breach could impact a “substantial portion” of the U.S. public.

Organizations that are signed up for CISA’s free cyber hygiene scanning tool would get an automated alert about any vulnerabilities, but the agency might also reach out to companies that are not signed up if vulnerable devices are found on an internet-scanning service, such as Shodan. If service providers hide the identity of the organization through privacy protections, CISA can use its administrative subpoena power to alert organizations with vulnerable devices that are internet-facing. More than 7,600 organizations have signed up for CISA’s cyber hygiene scanning service.

Updated April 25, 2024: This article was updated to include additional details on CISA’s ransomware warning program and correct information on the pilot’s launch status and participation requirements.