Official Alerts & Statements - CISA

Official CISA updates to help stakeholders guard against the ever-evolving ransomware threat environment. These alerts, current activity reports, analysis reports, and joint statements are geared toward system administrators and other technical staff to bolster their organization's security posture. 

• Advisory (AA25-163A): Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
  • The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.
• Advisory (AA25-163A):  Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
  • The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.
• Advisory (AA25-071A): #StopRansomware: Medusa Ransomware
  • The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.
• Advisory (AA25-050A): #StopRansomware: Ghost (Cring) Ransomware
  • The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.
• Advisory (AA24-242A): #StopRansomware: RansomHub Ransomware
  • The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).
• Advisory (AA24-131A): #StopRansomware: Black Basta
  • The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.
• Advisory (AA24-109A): #StopRansomware: Akira Ransomware
  • The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.
• Advisory (AA24-060A): #StopRansomware: Phobos Ransomware
  • The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.
• Advisory (AA23-353A): #StopRansomware: ALPHV Blackcat
  • The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.
• Advisory (AA23-352A): #StopRansomware: Play Ransomware
  • The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) are releasing this joint advisory to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as January 2025.
• Advisory (AA23-325A): #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
  • The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
• Advisory (AA23-319A): #StopRansomware: Rhysida Ransomware
  • The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi- State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as December 2024. Rhysida has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this advisory is derived from related incident response investigations and malware analysis of samples discovered on victim networks.
• Advisory (AA23-284A): #StopRansomware: AvosLocker Ransomware (Update)
  • The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.
• Advisory (AA23-263A): #StopRansomware: Snatch Ransomware
  • The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
• Advisory (AA23-165A): Understanding Ransomware Threat Actors: LockBit
  • In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.
• Advisory (AA23-158A): #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
  • The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.
• Advisory (AA23-136A): #StopRansomware: BianLian Ransomware Group
  • The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ASD’S ACSC investigations.
• Advisory (AA23-075A): #StopRansomware: LockBit 3.0
  • The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
• Advisory (AA23-061A): Royal Ransomware
  • The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on Royal ransomware used by threat actors. Attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education. All organizations are encouraged to review this advisory for threat details, actor’s tactics, techniques, and procedures (TTPs), and indicators of compromise that can be used to detect if this activity is on your network, along with recommended actions and mitigations to manage the risk.
• Advisory (AA23-039A): ESXiArgs Ransomware Virtual Machine Recovery Guidance
  • The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released advisory with guidance on how to use an ESXiArgs recovery script. Organizations that have fallen victim to ESXiARgs ransomware can use the script to attempt to recover their files. Other recommended mitigations are provided that all organizations should consider implementing.
• Advisory (AA22-216a): Top 2021 Malware Strains
  • The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) published a Cybersecurity Advisory (CSA) that provides details on the 2021 top malware strains used by malicious cyber actors to covertly compromise and then gain unauthorized access to a computer or mobile device.
• Advisory (AA22-152A): Karakurt Data Extortion Group
  • The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.
• Advisory (AA21-321A): Iranian Government-Sponsored APT Cyber Actors
  • CISA, FBI, the Australian Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre published a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group associated with the government of Iran.  These APT actors have been observed exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on operations, which include deploying ransomware.
• Advisory (AA21-291A): BlackMatter Ransomware
  • This joint advisory from CISA, the FBI, and the NSA to provide information on BlackMatter ransomware, which, since July 2021, has targeted multiple U.S. critical infrastructure sectors, including two U.S. Food and Agriculture Sector organizations. This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting.
• Advisory (AA21-287A): Ongoing Cyber Threats to U.S. Water and Wastewater Systems
  • CISA, FBI, EPA and the NSA published a joint advisory with a threat overview, which includes ransomware attacks, as well as recommended mitigations to defend against ongoing malicious cyber activity targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. Although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.
• Advisory (AA21-265A): Conti Ransomware
  • CISA, FBI, and NSA published a joint advisory on Conti ransomware with technical details, adversary behavior mapped to MITRE ATT&CK and recommended mitigations. CISA and the FBI have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations to steal files, encrypt servers and workstations, and demand a ransom payment.
• Alert: CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses
  • CISA has released CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses, which provides mitigation and hardening guidance to help these organizations strengthen their defenses against cyberattacks. Many small- and mid-sized businesses use MSPs to manage IT systems, store data, or support sensitive processes, making MSPs valuable targets for malicious cyber actors.
• Alert: CISA Issues Emergency Directive on Microsoft Windows Print Spooler
  • CISA has issued Emergency Directive (ED) 21-04: Mitigate Windows Print Spooler Service Vulnerability addressing CVE-2021-34527. Attackers can exploit this vulnerability to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.  
• Alert: Kaseya Ransomware Attack: Guidance and Resources
  • CISA has created a webpage to provide information and guidance for the recent ransomware attack against Kaseya customers that include managed service providers (MSPs) and customers of those MSPs. CISA encourages affected organizations to review Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers for more information.
• Alert: SolarWinds Releases Advisory for Serv-U Vulnerability
  • On July 13, SolarWinds has released an advisory addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.
• Fact Sheet: Rising Ransomware Threat to Operational Technology Assets
  • A fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware to operational technology (OT) assets and control systems. The document includes several recommended actions and resources that critical infrastructure entities should implement to reduce the risk of this threat.
• Alert: Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware
  • On May 19, a downloadable STIX file of indicators of compromise (IOCs) was added to the advisory to help network defenders find and mitigate activity associated with DarkSide ransomware.
• Advisory (AA21-131A): DarkSide Ransomware
  • CISA and FBI are aware of a ransomware attack affecting a critical infrastructure (Cl) entity-a pipeline company-in the United States. Malicious cyber actors deployed DarkSide ransomware, a ransomware-as-a-service (RaaS) variant, against the pipeline company's information technology (IT) network. This joint advisory provides technical details on the DarkSide actors, some of their known tactics and preferred targets, and recommended best practices for preventing business disruption from ransomware attacks.
• Analysis Report (AR21-126A): FiveHands Ransomware
  • Recently, threat actors successfully launched a cyberattack against an organization using a new ransomware variant, which CISA refers to as FiveHands. The actors used publicly available penetration testing and exploitation tools, FiveHands ransomware, and SombRAT remote access trojan (RAT), to steal information, access credentials, obscure files, and demand a ransom from the victim. In addition to mitigation recommendations, this report provides the tactics, techniques, and procedures the threat actors used as well as indicators of compromise (IOCs).
• Advisory (AA21-076A): TrickBot Malware
  • CISA and FBI have observed continued sophisticated spearphishing campaigns using TrickBot malware in North America. Cybercrime actors are luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot, a Trojan first identified in 2016. Attackers can use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader.
• Alert: SMB Security Best Practices
  • In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems. The Current Activity includes recommendations for users and administrators.
• Advisory (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
  • Numerous reports of ransomware attacks against kindergarten through twelfth grade (K-12) educational institutions continue to be reported to CISA, FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. In response to this ransomware threat and other malicious cyber activity (such as data theft and disruption of distance learning), CISA, the FBI, and the MS-ISAC published a joint advisory that provides an assessment on recent attempts of malicious cyber actors to target K-12 educational institutions and how to mitigate these cyber-attacks.
• Advisory (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector
  • Joint cybersecurity advisory from CISA, the FBI, and the Department of Health and Human Services (HHS), describing the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
• Advisory (AA20-183A): Defending Against Malicious Cyber Activity Originating from Tor
  • This advisory—written by CISA with contributions from the FBI—highlights risks associated with Tor, along with technical details and recommendations for mitigation.
• Advisory (AA20-107A): Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
  • This Alert provides an update to CISA Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.
• Advisory (AA20-106A): Guidance on the North Korean Cyber Threat
  • This advisory from the U.S. Departments of State, the Treasury, and Homeland Security, and the FBI is a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public, and it provides recommended steps to mitigate the threat.
• Joint Statement: U.K. and U.S. Security Agencies Issue COVID-19 Cyber Threat Update
  • A joint advisory by the UK’s National Cyber Security Centre (NCSC) and CISA shows that cyber criminals and advanced persistent threat (APT) groups are targeting individuals and organizations with a range of ransomware and malware.
• Advisory (AA20-049A): Ransomware Impacting Pipeline Operations
  • CISA advisory encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.
• Advisory (AA20-010A): Continued Exploitation of Pulse Secure VPN Vulnerability
  • Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack.
• Advisory (AA19-339A): Dridex Malware
  • This joint U.S. Department of Treasury and CISA alert informs the financial services sector about the Dridex malware and variants.
• Joint Statement: CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action to Safeguard Against Ransomware Attacks
  • CISA along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) issued this joint statement to their State, local, territorial and tribal government partners, to take essential actions to enhance their defensive posture against ransomware.
• Alert (AA18-337A): SamSam Ransomware
  • DHS and the FBI issued this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A.
• Alert (TA18-201A): Emotet Malware
  • This joint Technical Alert (TA) from DHS and the Multi-State Information Sharing & Analysis Center (MS-ISAC) examines Emotet, an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans.