CISA Announces Ransomware Vulnerability Warning Pilot
Table of Contents
Purpose
Last week, on Monday March 13, CISA announced the creation of the Ransomware Vulnerability Warning Pilot (RVWP). This program was launched through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed by President Biden in March 2022. The RVWP aims to accomplish two tasks:
- Proactively identifies information systems—belonging to critical infrastructure entities—that contain vulnerabilities commonly associated with ransomware intrusions.
- Notifies the owners of the affected information systems, which enables the owners to mitigate the vulnerabilities before damaging intrusions occur.
The RVWP aims to reduce the time it takes for critical infrastructure entities to identify and fix known vulnerabilities. CISA already provides the Known Exploited Vulnerabilities (KEV) catalog which lists vulnerabilities that are known to be exploited and have remediation solutions. The KEV catalog provides a vulnerability list, while RVWP aims to help critical organizations identify these vulnerabilities so that they can be remediated.
How does RVWP work?
How does CISA identify these vulnerabilities in these organizations?
CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002. CISA Factsheet
CISA’s Cyber Hygiene Vulnerability Scanning service is a free vulnerability assessment for federal, state, local, tribal and territorial governments along with critical infrastructure organizations. This vulnerability scan service targets organizations external networks, scanning public IPv4 addresses for vulnerable services. It provides weekly vulnerability reports, and notifies organizations of new vulnerabilities via alerts. CISA regional staff notify critical infrastructure organizations of new vulnerabilities from these vulnerability scans. To learn more about CISA’s vulnerability scanning service visit here or email vulnerability@cisa.dhs.gov with the subject line “Requesting Cyber Hygiene Services”.
A Proactive Approach
CISA has traditionally encouraged reporting of cybersecurity incidents, including ransomware incidents. This has included campaigns like “Observe, Act, Report” and factsheets on how best to report cyber incidents. Ransomware event information sharing is critical, but unfortunately it is reactionary. Every ransomware event should be shared with CISA and can be done through their Incident Reporting System. The RVWP is a proactive approach to combatting ransomware attacks. RVWP prevents ransomware attacks from succeeding by reducing known vulnerabilities with free vulnerability scanning along with weekly reports and alerts.
Ransomware's Impact Today
The CIRCIA legislation, that led to the RVWP, was in response in large part due to the Colonial Pipeline Cyber Attack in May 2021. The oil and gas sector and various critical infrastructures have continued to become increasingly targeted by ransomware attacks in the last two years. These ransomware attacks have set all-time records in scope and ransomware demand amounts. Ransomware information sharing and active vulnerability remediation could not be more important in light of these attacks. All organizations are recommended to conduct, at a minimum, regular external network security audits. Keeping apprised of new vulnerabilities also allows for quick patching and remediation actions. Some notable ransomware events that highlight ransomware’s growing impact include:
- May 2021: “largest cyberattack on oil infrastructure target in the history of the United States” The Colonial Pipeline Company was targeted by DarkSide. 17 states declared an emergency declaration.
- May 2021: “largest cyberattack on food production company” Brazil-based meat processing company, JBS S.A., supplies approximately one-fifth of meat globally. JBS paid $11 million in bitcoin to REvil.
- April 2022: National State of Emergency in Costa Rica The Conti Group and Hive Ransomware Group attacked nearly 30 governmental institutions in Costa Rica
Federal, state, local, tribal and territorial governments and all critical infrastructure organizations should utilize the Ransomware Vulnerability Warning Pilot program for free vulnerability assessments. All organizations should conduct regular vulnerability assessments. Secured offers vulnerability scanning that includes checking for vulnerabilities from CISA’s Known Exploited Vulnerability (KEV) catalog. Organizations can also utilize publicly available tools, like Shodan.io and Greenbone OpenVAS, to see if network assets are exposed and vulnerable.