Newsroom

• The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint CSA on RansomHub Ransomware.

• The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) published joint Cybersecurity Advisory (CSA), “Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations.”

• The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency released joint CSA on BlackSuit Ransomware.

• CISA—in partnership with the Federal Bureau of Investigation (FBI)—released a joint Cybersecurity Advisory that highlights cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju.

• The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued this advisory with technical details on Black Basta, a ransomware-as-a-service (RaaS) used by various criminal affiliates.

• The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) issued this advisory with technical details on Akira ransomware that has impacted North America, Europe, and Australia.

• The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued this advisory with technical details on Phobos ransomware that has impacted state, local, tribal, and territorial (SLTT) governments since May 2019.

• The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released advisory to disseminate additional known ALPHV Blackcat ransomware IOCs and information.

• The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) released advisory to disseminate known ALPHV Blackcat ransomware IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaSs) identified through FBI investigations as recently as Dec. 6, 2023.

• The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) released a joint Cybersecurity Advisory (CSA) with technical details on Play Ransomware identified through FBI investigations as recently as of October 2023 and provide mitigations to help organizations protect against this cyber threat.

• The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) on recent activity by Scattered Spider threat actors against Commercial Facilities Sectors and subsectors with tactics, techniques and procedures obtained through FBI investigations as recently as November 2023. 

• The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) released this joint Cybersecurity Advisory (CSA) to disseminate Indicators of Compromise (IOCs) and FBI Yara rule on Rhysida ransomware identified through FBI investigations as recently as of September 2023 and provide mitigations to help organizations protect against this cyber threat.

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released an updated joint CSA on Royal ransomware used by threat actors to target numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.

• CISA and Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) published a Business Continuity in a Box product that assists organizations with swiftly and securely standing up critical business functions during or following a cyber incident. Using this resource, organizations can maintain or re-establish the basic functions needed to operate a business while responding to the issues affecting their existing systems.

• CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since was release earlier this year.

• The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) to disseminate Indicators of Compromise (IOCs) and FBI Yara rule on AvosLocker ransomware identified through FBI investigations as recently as May 2023 and provide mitigations to help organizations protect against this cyber threat.

• The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) to disseminate Indicators of Compromise (IOCs) on Snatch ransomware identified through FBI investigations as recently as June 2023 and provide mitigations to help organizations protect against this cyber threat. 

• The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure Indicators of Compromise (IOCs) identified through FBI investigations as of August 2023 and provide mitigations to help organizations protect against this cyber threat.

• The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada at scale as recently as May 31, 2023.

• The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center, and international partners released joint CSA on LockBit, an evolving and ongoing Ransomware-as-a-Service (RaaS). Protect your organization against this ongoing, global cyber threat by reading the advisory and implementing recommended mitigations.

• The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. 

• CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.

JOINT CYBERSECURITY ADVISORY: BIANLIAN RANSOMWARE   

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) released joint CSA on BianLian ransomware. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. 

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA – “Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG.” 

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint CSA on LockBit 3.0 ransomware. LockBit affiliates have attacked a wide range of businesses and critical infrastructure organizations.

• Recognizing the persistent threat posed by ransomware attacks to organizations of all sizes, the Cybersecurity and Infrastructure Security Agency (CISA) announces today the establishment of the Ransomware Vulnerability Warning Pilot (RVWP).

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on Royal ransomware used by threat actors to target numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.

• The National Security Agency, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Health and Human Services, and Republic of Korea’s National Intelligence Service and Defense Security Agency released joint CSA on Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities.

• The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released advisory with guidance on how to use an ESXiArgs recovery script. Organizations that have fallen victim to ESXiARgs ransomware can use the script to attempt to recover their files. Other recommended mitigations are provided that all organizations should consider implementing.

• The Cybersecurity and Infrastructure Security Agency (CISA) released a Phishing Infographic to help protect both organizations and individuals from successful phishing operations, as well as a visual summary of how threat actors execute successful phishing operations.

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on Cuba ransomware to target a wide range of businesses and critical infrastructure sector organizations, including those in Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released joint CSA on Hive ransomware to target a wide range of businesses and critical infrastructure sector organizations, including those in the Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH) Sectors.

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released joint CSA on Daixin actors targeting healthcare and public health sector with ransomware since at least June 2022.

• This joint Cybersecurity Advisory details Iranian State Actors Conduct Cyber Operations Against the Government of Albania. CISA and the Federal Bureau of Investigation urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this advisory.

• This joint Cybersecurity Advisory details Iranian Islamic Revolutionary Guard Corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations. CISA, the Federal Bureau of Investigation, National Security Agency, U.S. Cyber Command - Cyber National Mission Force (CNMF), Department of the Treasury, Australian Cyber Security Centre, Canadian Centre for Cyber Security, and United Kingdom’s National Cyber Security Centre urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this advisory.

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory on Vice Society actors disproportionately targeting the education sector with ransomware attacks as recently as September 2022.

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Zeppelin ransomware which has been identified through FBI investigations as recently as April 2022.

• The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) published a Cybersecurity Advisory (CSA) that provides details on the 2021 top malware strains used by malicious cyber actors to covertly compromise and then gain unauthorized access to a computer or mobile device. The top malware strains in 2021 include remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Read the advisory to learn how to detect and protect against these and other cyber threats.

• This joint Cybersecurity Advisory (CSA) from CISA, FBI, and the U.S. Department of Treasury provides information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations. Learn about the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) of this threat.

• Malicious actors have used MedusaLocker ransomware in attacks as recently as May 2022. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) have released recommended actions, mitigations, and resources for organizations to use to protect against and respond to this cyber threat.

• Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months this year. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

• Law enforcement and judicial authorities in Europe, the U.S., and Canada seized the web domains and server infrastructure of DoubleVPN. This is a virtual private network (VPN) service which provided a safe haven for cybercriminals to attack their victims. 

• After President Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks, Brandon Wales, Acting Director if the Cybersecurity and Infrastructure Security Agency (CISA) released a statement about the importance of this step forward after the recent ransomware attacks on the Colonial Pipeline.

• The Cybersecurity and Infrastructure Security Agency (CISA) and CYBER.ORG jointly announce a cyber safety video series to help those learning or working online take proactive steps to protect themselves and their business. The video series currently includes five videos that provide easy to understand cybersecurity concepts which include tips to avoid becoming a victim of a ransomware attack.

• The Cybersecurity and Infrastructure Security Agency (CISA) announces the Reduce the Risk of Ransomware Campaign, a focused, coordinated, and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate this cybersecurity risk and threat.

• The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing a joint Ransomware Guide meant to be a one-stop resource for stakeholders on how to be proactive and prevent these attacks from happening and also a detailed approach on how to respond to an attack and best resolve the cyber incident.

• A Romanian woman pleaded guilty to federal charges stemming from her role in a conspiracy to illegally access approximately 126 computers associated with Metropolitan Police Department (MPD) surveillance cameras, and to use those computers in connection with a scheme to distribute ransomware in January 2017.

• Iraninian nationals were charged with committing a sophisticated ransomware attack on the City of Atlanta in violation of the Computer Fraud and Abuse Act.

• A Russian national and organization BTC-e were indicted by a grand jury in Northern California for operating an unlicensed money service business, money laundering and related crimes. BTC-e was noted for its role in numerous ransomware and other cyber criminal activity, according to Special Agent in Charge of the USSS Criminal Investigative Division Michael D’Ambrosio.

• A criminal complaint and arrest warrants were unsealed charging two Romanian nationals with a conspiracy to illegally access approximately 123 computers associated with Metropolitan Police Department (MPD) surveillance cameras and to use those computers in connection with a scheme to distribute ransomware in January 2017.