- Federal cyber authorities shared early, promising results last week of a pre-ransomware notification initiative designed to quickly alert organizations of intrusions before ransomware actors encrypt or steal data.
- The Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative pulls in tips from cybersecurity researchers, infrastructure providers and threat intelligence firms to notify victim organizations of early-stage ransomware activity, JCDC Associate Director Clayton Romans said Thursday in a blog post.
- Authorities notified 60 entities across multiple critical infrastructure sectors of potential pre-ransomware intrusions since the beginning of the year. Many identified and remediated the intrusion before encryption or exfiltration occurred, Romans said.
Early warnings about malicious activity can bolster an organization’s ability to significantly limit the impact of a ransomware attack, said Chester Wisniewski, field CTO of applied research at Sophos.
When organizations take action in the early stages of a threat actor’s intrusion, more often than not, they are able to prevent the ransomware attack and data exfiltration, Wisniewski said.
This window of opportunity, when a ransomware actor has gained access but has yet to encrypt or steal data, typically lasts hours to days, according to CISA.
CISA emphasized the important role the private sector plays in sharing indicators of compromise, and encouraged all organizations and individuals to report malicious activity so it can notify potential victims quickly.
While ransomware notifications can help, they’re only effective if organizations trust the warning and take swift and appropriate action, Wisniewski said. Many organizations don’t take early-stage warnings seriously until it’s too late, he said.
Post-breach notifications from CISA might often be too late, but timing is crucial and if caught early enough organizations could limit the extent of damage suffered by an attack.
“One, it can’t hurt. Two, it’s likely to prevent some attacks and that’s fantastic,” Wisniewski said. “But is it going to make a real dent in the ransomware problem? Probably not.”