CISA has sent out more than 2,000 ransomware vulnerability alerts so far. Could yours be next?

If you haven’t yet signed up for Cyber Hygiene Vulnerability Scanning, you could be missing out on important alerts.

More than 7,000 organizations have registered for the no-cost vulnerability alert service from the Cybersecurity and Infrastructure Security Agency (CISA) as part of the Ransomware Vulnerability Warning Pilot launched in January 2023. The pilot program aims to protect critical infrastructure organizations from ransomware attacks by proactively notifying them about vulnerabilities in their systems.

CISA hopes to formally launch the program by the end of 2024. However, any organization can take advantage of CISA’s free cybersecurity tools now.

What is a ransomware attack?

Ransomware is a form of malicious software that encrypts files on an internet-connected device, blocking use of the device and the systems that rely on it. Ransomware attackers then extort victims for money in exchange for decryption. In another tactic, attackers steal data from the hacked devices and threaten to release it publicly unless the victim pays the ransom. When an attacker uses both tactics, this is known as “double extortion.”

These incidents can devastate businesses. The disruptions can halt operations and prevent companies from delivering mission-critical services, resulting in costly recoveries and damage to their reputations.

Why is this program important?

According to CISA, ransomware is a rampant and costly threat to critical services, businesses, and communities. Organizations of every size and in every sector are impacted by ransomware attacks. It costs businesses an average of $1.85 million to recover from a ransomware attack, and 80% of those who pay a ransom are retargeted and revictimized.

Companies can reduce their risk of ransomware attacks by identifying vulnerabilities and closing their security gaps. According to CISA, organizations who participate in the program typically reduce their risk and exposure by 40% in the first year, and most see improvements in 90 days.

How does the program work?

CISA’s vulnerability warning program was mandated by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. As part of the program, CISA regularly scans public and commercial data sources to identify information systems with exposed vulnerabilities.

Businesses who enroll in the vulnerability scanning service receive regular reports and establish relationships with CISA’s cybersecurity experts. If you’re enrolled, and CISA finds a vulnerability in your software, the agency will notify your designated contact by phone or email with information and recommendations. CISA also attempts to reach out to organizations that are not enrolled, but the agency may have trouble reaching them without an established point of contact.

Who is using the service?

CISA identifies and reports on vulnerabilities in each of the critical infrastructure sectors that Americans count on.

In 2023, CISA sent out 1,754 notifications to organizations about vulnerable internet-enabled devices. The highest percentage (37%) of identified vulnerabilities were in government facilities, including K-12 schools; higher education; U.S. federal agencies; and state, local, tribal, and territorial (SLTT) government organizations. Healthcare and public health organizations were next (25%), followed by the energy and financial services sectors (10% and 7%, respectively). The remaining sectors, in order of impact, were transportation, critical manufacturing, information technology, food and agriculture, commercial, emergency services, chemical, communications, defense industrial base, and water and wastewater.

In subsequent scans, 49% of the 1,754 affected devices were patched, taken offline, or otherwise controlled.

What should businesses do?

While it’s not a replacement for complete ransomware protection, it’s prudent to take advantage of this free federal service. The scan could prevent a costly ransomware attack — and the only downside is having one more report to read.

Interested organizations can sign up for CISA’s Cyber Hygiene Vulnerability Scanning service by emailing vulnerability@cisa.dhs.gov.