Newsroom

• The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) to disseminate Indicators of Compromise (IOCs) on Snatch ransomware identified through FBI investigations as recently as June 2023 and provide mitigations to help organizations protect against this cyber threat. 

JOINT CYBERSECURITY ADVISORY: IDENTIFICATION AND DISRUPTION OF QAKBOT INFRASTRUCTURE

• The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure Indicators of Compromise (IOCs) identified through FBI investigations as of August 2023 and provide mitigations to help organizations protect against this cyber threat.

JOINT CYBERSECURITY ADVISORY: INCREASED TRUEBOT ACTIVITY INFECTS U.S. AND CANADA BASED NETWORKS AT SCALE

• The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada at scale as recently as May 31, 2023.

JOINT CYBERSECURITY ADVISORY: UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT  

• The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center, and international partners released joint CSA on LockBit, an evolving and ongoing Ransomware-as-a-Service (RaaS). Protect your organization against this ongoing, global cyber threat by reading the advisory and implementing recommended mitigations.

JOINT CYBERSECURITY ADVISORY: CL0P Ransomware Gang 

• The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. 

CISA AND PARTNERS UPDATE THE #STOPRANSOMWARE GUIDE, DEVELOPED THROUGH THE JOINT RANSOMWARE TASK FORCE 

• CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.

JOINT CYBERSECURITY ADVISORY: BIANLIAN RANSOMWARE   

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) released joint CSA on BianLian ransomware. FBI observed BianLian group targeting organizations in multiple U.S. critical infrastructure sectors since June 2022. 

JOINT CYBERSECURITY ADVISORY:  CISA and FBI Release Joint Advisory in Response to Active Exploitation of PaperCut Vulnerability

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA – “Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG.” 

JOINT CYBERSECURITY ADVISORY: LockBit 3.0 RANSOMWARE  

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released joint CSA on LockBit 3.0 ransomware. LockBit affiliates have attacked a wide range of businesses and critical infrastructure organizations.

CISA ESTABLISHES RANSOMWARE VULNERABILITY WARNING PILOT 

• Recognizing the persistent threat posed by ransomware attacks to organizations of all sizes, the Cybersecurity and Infrastructure Security Agency (CISA) announces today the establishment of the Ransomware Vulnerability Warning Pilot (RVWP).

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on Royal ransomware used by threat actors to target numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.

• The National Security Agency, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Health and Human Services, and Republic of Korea’s National Intelligence Service and Defense Security Agency released joint CSA on Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities.

• The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released advisory with guidance on how to use an ESXiArgs recovery script. Organizations that have fallen victim to ESXiARgs ransomware can use the script to attempt to recover their files. Other recommended mitigations are provided that all organizations should consider implementing.

• The Cybersecurity and Infrastructure Security Agency (CISA) released a Phishing Infographic to help protect both organizations and individuals from successful phishing operations, as well as a visual summary of how threat actors execute successful phishing operations.

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint CSA on Cuba ransomware to target a wide range of businesses and critical infrastructure sector organizations, including those in Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released joint CSA on Hive ransomware to target a wide range of businesses and critical infrastructure sector organizations, including those in the Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH) Sectors.

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released joint CSA on Daixin actors targeting healthcare and public health sector with ransomware since at least June 2022.

• This joint Cybersecurity Advisory details Iranian State Actors Conduct Cyber Operations Against the Government of Albania. CISA and the Federal Bureau of Investigation urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this advisory.

• This joint Cybersecurity Advisory details Iranian Islamic Revolutionary Guard Corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations. CISA, the Federal Bureau of Investigation, National Security Agency, U.S. Cyber Command - Cyber National Mission Force (CNMF), Department of the Treasury, Australian Cyber Security Centre, Canadian Centre for Cyber Security, and United Kingdom’s National Cyber Security Centre urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this advisory.

• The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory on Vice Society actors disproportionately targeting the education sector with ransomware attacks as recently as September 2022.

• The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Zeppelin ransomware which has been identified through FBI investigations as recently as April 2022.

• The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) published a Cybersecurity Advisory (CSA) that provides details on the 2021 top malware strains used by malicious cyber actors to covertly compromise and then gain unauthorized access to a computer or mobile device. The top malware strains in 2021 include remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Read the advisory to learn how to detect and protect against these and other cyber threats.

• This joint Cybersecurity Advisory (CSA) from CISA, FBI, and the U.S. Department of Treasury provides information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations. Learn about the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) of this threat.

• Malicious actors have used MedusaLocker ransomware in attacks as recently as May 2022. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) have released recommended actions, mitigations, and resources for organizations to use to protect against and respond to this cyber threat.

• Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months this year. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

• Law enforcement and judicial authorities in Europe, the U.S., and Canada seized the web domains and server infrastructure of DoubleVPN. This is a virtual private network (VPN) service which provided a safe haven for cybercriminals to attack their victims. 

• After President Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks, Brandon Wales, Acting Director if the Cybersecurity and Infrastructure Security Agency (CISA) released a statement about the importance of this step forward after the recent ransomware attacks on the Colonial Pipeline.

• The Cybersecurity and Infrastructure Security Agency (CISA) and CYBER.ORG jointly announce a cyber safety video series to help those learning or working online take proactive steps to protect themselves and their business. The video series currently includes five videos that provide easy to understand cybersecurity concepts which include tips to avoid becoming a victim of a ransomware attack.

• The Cybersecurity and Infrastructure Security Agency (CISA) announces the Reduce the Risk of Ransomware Campaign, a focused, coordinated, and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate this cybersecurity risk and threat.

• The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing a joint Ransomware Guide meant to be a one-stop resource for stakeholders on how to be proactive and prevent these attacks from happening and also a detailed approach on how to respond to an attack and best resolve the cyber incident.

• A Romanian woman pleaded guilty to federal charges stemming from her role in a conspiracy to illegally access approximately 126 computers associated with Metropolitan Police Department (MPD) surveillance cameras, and to use those computers in connection with a scheme to distribute ransomware in January 2017.

• Iraninian nationals were charged with committing a sophisticated ransomware attack on the City of Atlanta in violation of the Computer Fraud and Abuse Act.

• A Russian national and organization BTC-e were indicted by a grand jury in Northern California for operating an unlicensed money service business, money laundering and related crimes. BTC-e was noted for its role in numerous ransomware and other cyber criminal activity, according to Special Agent in Charge of the USSS Criminal Investigative Division Michael D’Ambrosio.

• A criminal complaint and arrest warrants were unsealed charging two Romanian nationals with a conspiracy to illegally access approximately 123 computers associated with Metropolitan Police Department (MPD) surveillance cameras and to use those computers in connection with a scheme to distribute ransomware in January 2017.