Official Alerts & Statements - CISA

Official CISA updates to help stakeholders guard against the ever-evolving ransomware threat environment. These alerts, current activity reports, analysis reports, and joint statements are geared toward system administrators and other technical staff to bolster their organization's security posture. 

• Alert (AA23-061A): Royal Ransomware
  • The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on Royal ransomware used by threat actors. Attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education. All organizations are encouraged to review this advisory for threat details, actor’s tactics, techniques, and procedures (TTPs), and indicators of compromise that can be used to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk. 
• Alert (AA23-039A): ESXiArgs Ransomware Virtual Machine Recovery Guidance
  • The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released advisory with guidance on how to use an ESXiArgs recovery script. Organizations that have fallen victim to ESXiARgs ransomware can use the script to attempt to recover their files. Other recommended mitigations are provided that all organizations should consider implementing.
• Alert (AA22-216a): Top 2021 Malware Strains
  • The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) published a Cybersecurity Advisory (CSA) that provides details on the 2021 top malware strains used by malicious cyber actors to covertly compromise and then gain unauthorized access to a computer or mobile device.
• Alert (AA22-152A): Karakurt Data Extortion Group
  • The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.
• Alert (AA21-321A): Iranian Government-Sponsored APT Cyber Actors 
  • CISA, FBI, the Australian Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre published a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group associated with the government of Iran.  These APT actors have been observed exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. 
• Alert (AA21-291A): BlackMatter Ransomware
  • This joint advisory from CISA, the FBI, and the NSA to provide information on BlackMatter ransomware, which, since July 2021, has targeted multiple U.S. critical infrastructure sectors, including two U.S. Food and Agriculture Sector organizations. This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. 
• Alert (AA21-287A): Ongoing Cyber Threats to U.S. Water and Wastewater Systems
  • CISA, FBI, EPA and the NSA published a joint advisory with a threat overview, which includes ransomware attacks, as well as recommended mitigations to defend against ongoing malicious cyber activity targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. Although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.
• Alert (AA21-265A): Conti Ransomware
  • CISA, FBI, and NSA published a joint advisory on Conti ransomware with technical details, adversary behavior mapped to MITRE ATT&CK and recommended mitigations. CISA and the FBI have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations to steal files, encrypt servers and workstations, and demand a ransom payment.
• Current Activity: CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses
  • CISA has released CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses, which provides mitigation and hardening guidance to help these organizations strengthen their defenses against cyberattacks. Many small- and mid-sized businesses use MSPs to manage IT systems, store data, or support sensitive processes, making MSPs valuable targets for malicious cyber actors.
• Current Activity: CISA Issues Emergency Directive on Microsoft Windows Print Spooler
  • CISA has issued Emergency Directive (ED) 21-04: Mitigate Windows Print Spooler Service Vulnerability addressing CVE-2021-34527. Attackers can exploit this vulnerability to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.  
• Current Activity: Kaseya Ransomware Attack: Guidance and Resources
  • CISA has created a webpage to provide information and guidance for the recent ransomware attack against Kaseya customers that include managed service providers (MSPs) and customers of those MSPs. CISA encourages affected organizations to review Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers for more information.
• Current Activity: SolarWinds Releases Advisory for Serv-U Vulnerability
  • On July 13, SolarWinds has released an advisory addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.
• Fact Sheet: Rising Ransomware Threat to Operational Technology Assets
  • A fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware to operational technology (OT) assets and control systems. The document includes several recommended actions and resources that critical infrastructure entities should implement to reduce the risk of this threat.
• Current Activity: Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware 
  • On May 19, a downloadable STIX file of indicators of compromise (IOCs) was added to the advisory to help network defenders find and mitigate activity associated with DarkSide ransomware. 
• Alert (AA21-131A): DarkSide Ransomware 
  • CISA and FBI are aware of a ransomware attack affecting a critical infrastructure (Cl) entity-a pipeline company-in the United States. Malicious cyber actors deployed DarkSide ransomware, a ransomware-as-a-service (RaaS) variant, against the pipeline company's information technology (IT) network. This joint advisory provides technical details on the DarkSide actors, some of their known tactics and preferred targets, and recommended best practices for preventing business disruption from ransomware attacks. 
• Analysis Report (AR21-126A): FiveHands Ransomware
  • Recently, threat actors successfully launched a cyberattack against an organization using a new ransomware variant, which CISA refers to as FiveHands. The actors used publicly available penetration testing and exploitation tools, FiveHands ransomware, and SombRAT remote access trojan (RAT), to steal information, access credentials, obscure files, and demand a ransom from the victim. In addition to mitigation recommendations, this report provides the tactics, techniques, and procedures the threat actors used as well as indicators of compromise (IOCs).
• Alert (AA21-076A): TrickBot Malware
  • CISA and FBI have observed continued sophisticated spearphishing campaigns using TrickBot malware in North America. Cybercrime actors are luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot, a Trojan first identified in 2016. Attackers can use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader. 
• Current Activity: SMB Security Best Practices
  • In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems. The Current Activity includes recommendations for users and administrators. 
• Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
  • Numerous reports of ransomware attacks against kindergarten through twelfth grade (K-12) educational institutions continue to be reported to CISA, FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. In response to this ransomware threat and other malicious cyber activity (such as data theft and disruption of distance learning), CISA, the FBI, and the MS-ISAC published a joint advisory that provides an assessment on recent attempts of malicious cyber actors to target K-12 educational institutions and how to mitigate these cyber-attacks. 
• Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector
  • Joint cybersecurity advisory from CISA, the FBI, and the Department of Health and Human Services (HHS), describing the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
• Alert (AA20-183A): Defending Against Malicious Cyber Activity Originating from Tor
  • This advisory—written by CISA with contributions from the FBI—highlights risks associated with Tor, along with technical details and recommendations for mitigation. 
• Alert (AA20-107A): Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
  • This Alert provides an update to CISA Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.
• Alert (AA20-106A): Guidance on the North Korean Cyber Threat
  • This advisory from the U.S. Departments of State, the Treasury, and Homeland Security, and the FBI is a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public, and it provides recommended steps to mitigate the threat. 
• Joint Statement: U.K. and U.S. Security Agencies Issue COVID-19 Cyber Threat Update
  • A joint advisory by the UK’s National Cyber Security Centre (NCSC) and CISA shows that cyber criminals and advanced persistent threat (APT) groups are targeting individuals and organizations with a range of ransomware and malware.
• Alert (AA20-099A): COVID-19 Exploited by Malicious Cyber Actors
  • This joint alert from the CISA and the United Kingdom’s National Cyber Security Centre (NCSC) provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. 
• Alert (AA20-049A): Ransomware Impacting Pipeline Operations
  • CISA advisory encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.
• Alert (AA20-010A): Continued Exploitation of Pulse Secure VPN Vulnerability
  • Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. 
• Alert (AA19-339A): Dridex Malware
  • This joint U.S. Department of Treasury and CISA alert informs the financial services sector about the Dridex malware and variants. 
• Joint Statement: CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action to Safeguard Against Ransomware Attacks
  • CISA along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) issued this joint statement to their State, local, territorial and tribal government partners, to take essential actions to enhance their defensive posture against ransomware. 
• Alert (AA18-337A): SamSam Ransomware
  • DHS and the FBI issued this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. 
• Alert (TA18-201A): Emotet Malware
  • This joint Technical Alert (TA) from DHS and the Multi-State Information Sharing & Analysis Center (MS-ISAC) examines Emotet, an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans.