US cybersecurity officials are unveiling a new program to warn critical American companies that their systems are vulnerable to ransomware attacks before the hackers can successfully strike.
The new federal program – details of which were shared exclusively with CNN – is needed because “the pace and the impact of (ransomware) intrusions are still unacceptable,” said Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency.
Ransomware attacks, like the 2021 incident that temporarily shut down one of America’s largest fuel pipelines, have disrupted key services important to American life and made the issue a national and economic security concern for the Biden administration.
But federal officials and private researchers have sometimes struggled in recent years to get in touch with key organizations like hospitals or universities in the crucial window between when a hacker gains access to a network and when they lock up the network and demand a multimillion-dollar ransom.
The new CISA program is trying to change that. So far in 2023, the agency claims it has notified about 60 organizations in key sectors like healthcare and water that they could fall victim to ransomware. Many were able to prevent their systems from being encrypted, Goldstein said. In other cases, he said, “we got there in time to help, but not in time prevent (the hackers) from taking any action.”
The program is straightforward and relies on backchannels between researchers, government officials and potential victims.
Many of the early warning signs of a potential ransomware attack are public, such as a vulnerable computer at an organization that is exposed to the internet. CISA has an email tip line that outside cybersecurity experts can use to flag when they see such a vulnerability, and the agency then rushes to get in touch with the hacked organization before they get extorted.
While the FBI has more than 50 field offices across the country, CISA generally has fewer personnel who can knock on doors in small towns and respond to security incidents. But the agency has hired more advisers outside of Washington, Goldstein said, who can “drop everything they’re doing, jump on the phone or even get in their car” to warn companies that they might be hit by ransomware.
Personnel connections between feds and local companies or schools will be key if the program is to live up to its potential.
Allan Liska, a ransomware expert with cybersecurity firm Recorded Future, recalled how he had tried to contact a municipal government in the Midwest in 2021 that he suspected had been hacked. Liska couldn’t get through to the right person at the town government. Not long after that, a ransomware gang listed the town as a victim online, he said.
“Ransomware is like the Travis Kelce of malware,” Liska said, referring to the Super Bowl-winning Kansas City Chiefs tight end. “Everyone knows it is coming, but so few organizations can stop it.”
US officials have attacked the ransomware problem on multiple fronts – by arresting alleged cybercriminals, sanctioning cryptocurrency services and warning companies that they are vulnerable. There are signs that victims are paying the hackers less. Ransomware revenue fell to about $457 million in 2022, down from $766 million in 2021, according to data from cryptocurrency-tracking firm Chainalysis.
Still, ransomware and other hacking incidents still cause regular disruptions to American life. An apparent cyberattack in February forced a network of Florida health care organizations to send some emergency patients to other facilities.