Ransomware Alerts and Tips


  • Alert (AA21-076A): TrickBot Malware
    • CISA and FBI have observed continued sophisticated spearphishing campaigns using TrickBot malware in North America. Cybercrime actors are luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot, a Trojan first identified in 2016. Attackers can use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader. 
  • Current Activity: SMB Security Best Practices
    • In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems. The Current Activity includes recommendations for users and administrators. 
  • Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
    • Numerous reports of ransomware attacks against kindergarten through twelfth grade (K-12) educational institutions continue to be reported to CISA, FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. In response to this ransomware threat and other malicious cyber activity (such as data theft and disruption of distance learning), CISA, the FBI, and the MS-ISAC published a joint advisory that provides an assessment on recent attempts of malicious cyber actors to target K-12 educational institutions and how to mitigate these cyber-attacks. 
  • Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector
    • Joint cybersecurity advisory from CISA, the FBI, and the Department of Health and Human Services (HHS), describing the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
  • Alert (AA20-183A): Defending Against Malicious Cyber Activity Originating from Tor
    • This advisory—written by CISA with contributions from the FBI—highlights risks associated with Tor, along with technical details and recommendations for mitigation. 
  • Alert (AA20-107A): Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
    • This Alert provides an update to CISA Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.
  • Alert (AA20-106A): Guidance on the North Korean Cyber Threat
    • This advisory from the U.S. Departments of State, the Treasury, and Homeland Security, and the FBI is a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public, and it provides recommended steps to mitigate the threat. 
  • Joint Statement: U.K. and U.S. Security Agencies Issue COVID-19 Cyber Threat Update
    • A joint advisory by the UK’s National Cyber Security Centre (NCSC) and CISA shows that cyber criminals and advanced persistent threat (APT) groups are targeting individuals and organizations with a range of ransomware and malware.
  • Alert (AA20-099A): COVID-19 Exploited by Malicious Cyber Actors
    • This joint alert from the CISA and the United Kingdom’s National Cyber Security Centre (NCSC) provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. 
  • Alert (AA20-049A): Ransomware Impacting Pipeline Operations
    • CISA advisory encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.
  • Alert (AA20-010A): Continued Exploitation of Pulse Secure VPN Vulnerability
    • Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. 
  • Alert (AA19-339A): Dridex Malware
    • This joint U.S. Department of Treasury and CISA alert informs the financial services sector about the Dridex malware and variants. 
  • Joint Statement: CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action to Safeguard Against Ransomware Attacks
    • CISA along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) issued this joint statement to their State, local, territorial and tribal government partners, to take essential actions to enhance their defensive posture against ransomware. 
  • Alert (AA18-337A): SamSam Ransomware
    • DHS and the FBI issued this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. 
  • Alert (TA18-201A): Emotet Malware
    • This joint Technical Alert (TA) from DHS and the Multi-State Information Sharing & Analysis Center (MS-ISAC) examines Emotet, an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans.
  • Alert (TA17-181A): Petya Ransomware
    • This Alert reflects the U.S. Government's public attribution of the "NotPetya" malware variant to the Russian military.
  • Alert (TA17-132A): Indicators Associated With WannaCry Ransomware
    • This Alert reflects the U.S. Government's public attribution of the "WannaCry" malware variant to the North Korean government.
  • Alert (TA16-091A): Ransomware and Recent Variants
    • DHS, in collaboration with Canadian Cyber Incident Response Centre (CCIRC), released this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.
  • Alert (TA14-295A): Crypto Ransomware 
    • This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with DHS to provide further information about crypto ransomware, specifically to: present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and provide prevention and mitigation information.
  • Alert (TA13-309A): CryptoLocker Ransomware Infections
    • Alert from US-CERT providing recommendations to users and administrators to take preventative measures to protect their computer networks from a CrytoLocker infection.
  • Security Tip (ST04-005): Understanding Anti-Virus Software
    • A US-CERT security tip that answer many of the initial questions that individuals and organizations have regarding the benefits of anti-virus software. 
  • Security Tip (ST04-006): Understanding Patches and Software Updates
    • A US-CERT security tip that provides an overview on patches and software updates, as well as an explanation on the difference between manual and automatic updates, a definition of end-of-life software, and best practices for updating your software.
  • Security Tip (ST04-010): Using Caution with Email Attachments
    • A US-CERT security tip that answers questions regarding the email attachments and provides tips to protect yourself and others in your address book. 

Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

 

Please share your thoughts.
We recently updated our ransomware product survey and we would welcome your anonymous feedback. 

Was this webpage helpful?  Yes  |  Somewhat  |  No