Cyber Hygiene Helps Organizations Mitigate Ransomware-Related Vulnerabilities 


By Sandra Radesky, Associate Director Vulnerability Management, Stephanie Kennelley, Risk Operations Federal Lead, and Genevieve Marquardt, Cyber Hygiene Deputy Section Chief 

Ransomware continues to evolve as a scourge on critical services, businesses, and communities worldwide, causing costly incidents that are increasingly destructive and disruptive. Based on recent industry reporting, it costs businesses an average of $1.85 million to recover from a ransomware attack.1 In addition, 80% of victims who paid a ransom were targeted and victimized again by these criminals.2 The economic, technical, and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, continue to pose a challenge for organizations large and small. 

To directly reduce the attack surface and impact of ransomware attacks, the Cybersecurity and Infrastructure Security Agency’s (CISA) Ransomware Vulnerability Warning Pilot (RVWP) focuses on proactive risk reduction through direct communication with federal government, state, local, tribal, territorial (SLTT) government, and critical infrastructure entities to prevent threat actors from accessing and deploying ransomware on their networks. Aligned with the Joint Ransomware Task Force, this pilot provides timely notification to critical infrastructure organizations to mitigate vulnerabilities and protect their networks and systems by using existing services, data sources, technologies, and authorities.  

A key service used for warning organizations of ransomware-related vulnerabilities is our Cyber Hygiene Vulnerability Scanning, which monitors internet connected devices for known vulnerabilities and is available to any organization. Organizations participating in this no-cost service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days. Because the service looks for exposed assets, whether planned or inadvertent, it identifies vulnerabilities that would otherwise go unmanaged. For its use in support of RVWP, it informs organizations of those vulnerabilities commonly associated with known ransomware exploitation.  

For Calendar Year (CY) 2023, RVWP completed 1,754 notifications to entities operating an internet-accessible vulnerable device. Following notification of the vulnerabilities, CISA regularly conducts vulnerability scans to determine whether the entities appear to have mitigated their vulnerable devices. Our findings indicated that 852 of the 1,754 notifications (49%) of vulnerable devices were either patched, implemented a compensating control, or taken offline after notification from CISA. Our regional teams work closely with notified entities in order to drive timely mitigation.  

Critical Infrastructure SectorTotals
Critical Manufacturing69
Defense Industrial Base12
Emergency Services17
Financial Services127
Food and Agriculture54
Government Facilities641*
Healthcare and Public Health440
Information Technology64
Water and Wastewater10

Table 1: RVWP Notification Breakdown by CI Sector 
*Value includes notifications for K-12 schools and districts, higher education facilities, SLTT government organizations, and U.S federal agencies.  

The RVWP program enables organizations from all critical infrastructure sectors to harden their networks with respect to the vulnerabilities that ransomware gangs are known to use. As a result, it reduces the effectiveness of ransomware gang tools and procedures. With RVWP we are increasing their operational costs and contributing to deterrence by denial.   

Giving organizations an opportunity to mitigate known vulnerabilities on their internet exposed devices also significantly helps organizations reduce their likelihood of a cyber incident. Currently, CISA Cyber Hygiene Vulnerability Scanning has more than 7,600 organizations across all sectors and has identified more than 3M known vulnerabilities for participants since 2022. By partnering with CISA in this service you're not just securing your digital assets; you're making a no-cost, low-risk strategic choice to achieve measurable improvements and proactively protect your business's reputation and future!  

We urge organizations to take the following actions to help #StopRansomware: 

  • Enroll in the no-cost CISA Cyber Hygiene Vulnerability Scanning, it's not just about pinpointing vulnerabilities; it's helping organizations raise their cybersecurity posture and reduce business risk.  
  • Review the #StopRansomware Guide, which includes a valuable and very useful checklist on how to respond to a ransomware incident and protect your organization.   
  • Always report observed ransomware activity, including indicators of compromise and tactics, techniques, and procedures (TTPs), to CISA and our federal law enforcement partners.  


[1] Sophos, rep. The State of Ransomware 2021. Sophos. n.d.

[2] Cybereason Team, rep., Ransomware: The True Cost to Business (Cybereason, n.d.),