Official Alerts & Statements - FBI
Official FBI updates to help stakeholders guard against the ever-evolving ransomware threat environment. These advisories, FBI Flashes, FBI Private Industry Notifications (PINs) and joint statements are designed to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors.
- Joint Cybersecurity Advisory: #StopRansomware: RansomHub Ransomware
- The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint CSA on RansomHub ransomware. Review advisory for actor’s tactics, techniques, and procedures (TTPs), indicators of compromise, and implement recommended actions and mitigations.
- Joint Cybersecurity Advisory: Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) published CSA, Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations. Review advisory for actor’s tactics, techniques, and procedures (TTPs), indicators of compromise, and implement recommended actions and mitigations.
- Joint Cybersecurity Advisory: #StopRansomware: Blacksuit (Royal) Ransomware
- The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency released joint CSA on BlackSuit ransomware. Review advisory for actor’s tactics, techniques, and procedures (TTPs), indicators of compromise, and implement recommended actions and mitigations.
- Joint Cybersecurity Advisory: North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
- CISA—in partnership with the Federal Bureau of Investigation (FBI)—released a joint Cybersecurity Advisory that highlights cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju.
- Joint Cybersecurity Advisory: #StopRansomare: Black Basta
- This advisory provides Black Basta ransomware IOCs and TTPs obtained from FBI investigations and trusted third-party reporting. As of May 2024, this ransomware group has impacted a wide range of businesses and critical infrastructure entities globally.
- Joint Cybersecurity Advisory: Akira Ransomware
- This advisory provides Akira ransomware IOCs and TTPs from incident response investigations and trusted third party reporting. Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. Also, this group has impacted more than 250 organizations and claimed approximately $42M in ransom.
- Joint Cybersecurity Advisory: Phobos Ransomware
- This advisory provides Phobos ransomware IOCs and TTPs from incident response investigations and open source reporting (Feb 2024). It is structured as Ransomware-as-a-Service (RaaS) have regularly reported as impacting SLTT governments, such as emergency services, education, and public healthcare. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) partnered to issue this advisory.
- Joint Cybersecurity Advisory: Updated ALPHV BlackCat Ransomware
- The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released an update to advisory to disseminate additional known ALPHV Blackcat ransomware IOCs and information associated with the ALPHV Blackcat ransomware as a service (RaaSs) identified through FBI investigations as recently as February 2024.
- Joint Cybersecurity Advisory: ALPHV BlackCat Ransomware
- The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) released advisory to disseminate known ALPHV Blackcat ransomware IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaSs) identified through FBI investigations as recently as Dec. 6, 2023. This advisory updates FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022.
- Joint Cybersecurity Advisory: Play Ransomware
- The Cybersecurity and Infrastructure Security Agency (CISA),Federal Bureau of Investigation (FBI) and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) released this joint Cybersecurity Advisory (CSA) “Play Ransomware,” to warn organizations of ongoing activity targeting a wide range of businesses and critical infrastructure in North America, South America, Europe and Australia[SA1] . All organizations are encouraged to review this advisory, assess if this activity is on their network, and implement recommended mitigations to reduce risk.
- Joint Cybersecurity Advisory: Rhysida Ransomware
- The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) released this joint Cybersecurity Advisory (CSA) released a joint Cybersecurity Advisory (CSA), “Rhysida Ransomware,” to warn organizations of ongoing activity targeting a wide range of critical infrastructure in the U.S. All organizations are encouraged to review this advisory to detect if this activity is on your network and implement recommended mitigations to reduce risk.
- Joint Cybersecurity Advisory: Royal Ransomware (Update)
- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released an updated joint CSA on Royal ransomware used by threat actors. Attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education. All organizations are encouraged to review this advisory for threat details, actor’s tactics, techniques, and procedures (TTPs), and indicators of compromise that can be used to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk.
- CISA and Partners Update the #StopRansomware Guide
- CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide.
- Joint Cybersecurity Advisory: AvosLocker Ransomware
- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) released a joint Cybersecurity Advisory (CSA), “AvosLocker Ransomware,” to warn organizations of ongoing activity targeting a wide range of critical infrastructure in the U.S. All organizations are encouraged to review this advisory to detect if this activity is on your network and implement recommended mitigations to reduce risk.
- Joint Cybersecurity Advisory: Snatch Ransomware
- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) released a joint Cybersecurity Advisory (CSA), “Snatch Ransomware,” to warn organizations of ongoing activity targeting a wide range of critical infrastructure. All organizations are encouraged to review this advisory to detect if this activity is on your network and implement recommended mitigations to reduce risk.
- Joint Cybersecurity Advisory: Identification and Disruption of QakBot Infrastructure
- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) released a joint Cybersecurity Advisory (CSA), “Identification and Disruption of QakBot Infrastructure,” to help organizations reduce the likelihood of QakBot-related activity and promote identification of QakBot facilitated ransomware and malware infections. All organizations are encouraged to review this advisory to detect if this activity is on your network and implement recommended mitigations to reduce risk.
- Joint Cybersecurity Advisory: Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale
- The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada at scale as recently as May 31, 2023. All organizations are encouraged to review this advisory with information on how to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk.
- Joint Cybersecurity Advisory: Understanding Ransomware Threat Actors: LockBit
- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center, and international partners released joint CSA on affiliated LockBit cyber threat actors. Over the last three years, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors. All organizations are encouraged to review this advisory and implement the recommended actions and mitigations to reduce the likelihood and impact of future ransomware incidents.
- Joint Cybersecurity Advisory: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
- The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released a CSA on CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer beginning on May 27, 2023. All organizations are encouraged to review this advisory with information on how to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk.
- CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force
- CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
- Joint Cybersecurity Advisory: BianLian Ransomware
- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) released a CSA on BianLian ransomware. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. All organizations are encouraged to review this advisory with information on how to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk.
- Joint Cybersecurity Advisory: Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a CSA about active exploitation by malicious cyber actors of known, critical vulnerability in print management software known as PaperCut. All organizations are encouraged to review this advisory with information on how to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk.
- Joint Cybersecurity Advisory: LockBit 3.0 Ransomware
- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint CSA on LockBit 3.0 ransomware. LockBit affiliates have attacked a wide range of businesses and critical infrastructure organizations. All organizations are encouraged to review this advisory for threat details, actor’s tactics, techniques, and procedures (TTPs), and indicators of compromise that can be used to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk.
- Joint Cybersecurity Advisory: Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities
- The National Security Agency, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Health and Human Services, and Republic of Korea’s National Intelligence Service and Defense Security Agency released joint CSA on North Korean ransomware attacks to fund espionage activities. To reduce the risk to this nation-state sponsored threat, all organizations, especially health and healthcare entities, are encouraged to review the actor’s tactics, techniques, and procedures (TTPs), indicators of compromise, and implement recommended actions and mitigations.
- Joint Cybersecurity Advisory: Cuba Ransomware
- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on Cuba ransomware to target a wide range of businesses and critical infrastructure sector organizations, including those in Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology. All organizations are encouraged to review this advisory for threat details, actor’s tactics, techniques, and procedures (TTPs), indicators of compromise that can be used to detect if this activity is on your network, and actions and mitigations to implement to manage the risk.
- Joint Cybersecurity Advisory: Hive Ransomware
- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released joint CSA on Hive ransomware to target a wide range of businesses and critical infrastructure sector organizations, including those in the Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH) Sectors. All organizations are encouraged to review this advisory for threat details, actor’s tactics, techniques, and procedures (TTPs), indicators of compromise that can be used to detect if this activity is on your network, and actions and mitigations to implement to manage the risk.
- Joint Cybersecurity Advisory: Daixin Team Leverages Ransomware to Target the Healthcare and Public Health Sector
- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released joint CSA on Daixin actors targeting healthcare and public health sector with ransomware since at least June 2022. All organizations are encouraged to review this advisory for threat details, actor’s tactics, techniques, and procedures (TTPs), indicators of compromise that can be used to detect if this activity is on your network, and actions and mitigations to implement to manage the risk.
- Joint Cybersecurity Advisory: Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency published this CSA to provide actionable information on Iranian state actors that launched a destructive cyber-attack against the government of Albania rendering websites and services unavailable in July 2022. All organizations are encouraged to review this advisory for threat details; actor’s tactics, techniques, and procedures (TTPs); indicators of compromise that can be used to detect if this activity is on your network; and actions and mitigations that can be implemented to manage the risk posed by these APT actors.
- Joint Cybersecurity Advisory: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, U.S. Cyber Command - Cyber National Mission Force (CNMF), the Department of the Treasury, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the United Kingdom’s National Cyber Security Centre published CSA to highlight continued malicious cyber activity by advanced persistent threat (APT) actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). All organizations are encouraged to review this advisory for threat details; actor’s tactics, techniques, and procedures (TTPs); indicators of compromise that can be used to detect if this activity is on your network; and actions and mitigations that can be implemented to manage the risk posed by these APT actors.
- Joint Cybersecurity Advisory: Vice Society
- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory detailing indicators of compromise and tactics, techniques, and procedures associated with Vice Society actors disproportionately targeting the education sector with ransomware attacks. Observed as recently as September 2022, Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion hacking group. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year is underway for most of the United States.
- Joint Cybersecurity Advisory: Zeppelin Ransomware
- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Zeppelin ransomware which has been identified through FBI investigations as recently as April 2022. The CSA the known tactics, techniques, and procedures (TTPs), threat details, and indicators of compromise (IOC). All organizations are encouraged to review the IOCs and implement actions and mitigations to manage this potential cyber risk.
- Joint Cybersecurity Advisory: MedusaLocker Ransomware
- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) released a joint Cybersecurity Advisory (CSA) on MedusaLocker ransomware with historically known tactics, techniques, and procedures (TTPs); threat details; and indicators of compromise (IOC). All organizations are encouraged to review the IOCs and implement actions and mitigations to manage the risk posed by malware actors using MedusaLocker.
- FBI FLASH (CU-000163-MW): RagnarLocker Ransomware Indicators of Compromise
- The FBI first became aware of RagnarLocker in April 2020 and subsequently produced a FLASH to disseminate known indicators of compromise (IOCs) at that time. This FLASH provides updated and additional IOCs to supplement that report. As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker ransomware actors work as part of a ransomware family1, frequently changing obfuscation techniques to avoid detection and prevention.
- FBI PIN (20211101-001): Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
- The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.
- FBI FLASH (CU-000154-MW): Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
- The FBI first observed Hello Kitty/FiveHands ransomware in January 2021. Hello Kitty/FiveHands actors aggressively apply pressure to victims typically using the double extortion technique. In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker.
- FBI PIN (20210901-001): Cyber Criminal Actors Targeting the Food and Agriculture Sector with Ransomware Attack
- Ransomware attacks targeting the Food and Agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain. Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cyber criminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems.
- FBI Flash (CU-000153-MW): Indicators of Compromise Associated with Ranzy Locker Ransomware
- The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021.
- FBI Flash (MC-000150-MW): Indicators of Compromise Associated with Hive Ransomware
- Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
- FBI Flash (CU-000149-MW): Indicators of Compromise Associated with OnePercent Group Ransomware
- The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user.
- Joint Cybersecurity Advisory: Ransomware Awareness for Holidays and Weekends
- Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months this year. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.
- Joint Cybersecurity Advisory: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
- CISA and FBI are aware of a ransomware attack affecting a critical infrastructure (Cl) entity-a pipeline company-in the United States. Malicious cyber actors deployed DarkSide ransomware, a ransomware-as-a-service (RaaS) variant, against the pipeline company's information technology (IT) network. This joint advisory provides technical details on the DarkSide actors, some of their known tactics and preferred targets, and recommended best practices for preventing business disruption from ransomware attacks.
- Current Activity: Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware
- On May 19, a downloadable STIX file of indicators of compromise (IOCs) was added to the advisory to help network defenders find and mitigate activity associated with DarkSide ransomware.
- FBI Flash (CP-000147-MW): Conti Ransomware Attacks Impact Healthcare and First Responder Networks
- The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities.
- FBI Flash (CU-000143-MW): Mamba Ransomware Weaponizing DiscCryptor
- FBI and CISA coordinating product on Mamba Ransomware provided to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors.
- Joint Alert (AA21-076A): TrickBot Malware
- CISA and FBI have observed continued sophisticated spearphishing campaigns using TrickBot malware in North America. Cybercrime actors are luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot, a Trojan first identified in 2016. Attackers can use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader.
- FBI Flash (CP-000142-MW): Increase in PYSA Ransomware Targeting Education Institutions
- Joint FBI and CISA coordinated product on PYSA Ransomware provided to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors.
- FBI Private Industry Notification (PIN#: 20210106-001): Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
- Joint FBI and CISA coordinated product on Egregor Ransomware provided to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors.
- FBI Public Service Announcement (I-121520-PSA): Transition to Distance Learning Creates Opportunities for Cyber Actors to Disrupt Instruction and Steal Data
- Joint FBI and CISA Public Service Announcement (PSA) raising awareness for parents and caregivers of school-age children about potential disruptions to schools and compromises of private information, as cyber actors exploit remote learning vulnerabilities.
- Joint Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector
- Joint cybersecurity advisory from CISA, the FBI, and the Department of Health and Human Services (HHS), describing the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
- Joint Alert (AA20-106A): Guidance on the North Korean Cyber Threat
- This advisory from the U.S. Departments of State, the Treasury, and Homeland Security, and the FBI is a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public, and it provides recommended steps to mitigate the threat.
- Joint Alert (AA18-337A): SamSam Ransomware
- DHS and the FBI issued this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A.