Official Alerts & Statements - CISA

Official CISA updates to help stakeholders guard against the ever-evolving ransomware threat environment. These alerts, current activity reports, analysis reports, and joint statements are geared toward system administrators and other technical staff to bolster their organization's security posture. 

  • Alert (AA21-265A): Conti Ransomware
    • CISA, FBI, and NSA published a joint advisory on Conti ransomware with technical details, adversary behavior mapped to MITRE ATT&CK and recommended mitigations. CISA and the FBI have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations to steal files, encrypt servers and workstations, and demand a ransom payment.
  • Current Activity: CISA Insights: Guidance for MSPs and Small- and Mid-sized Businesses
  • Current Activity: CISA Issues Emergency Directive on Microsoft Windows Print Spooler
  • Current Activity: Kaseya Ransomware Attack: Guidance and Resources
  • Current Activity: SolarWinds Releases Advisory for Serv-U Vulnerability
    • On July  13, SolarWinds has released an advisory addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.
  • Fact Sheet: Rising Ransomware Threat to Operational Technology Assets
    • A fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware to operational technology (OT) assets and control systems. The document includes several recommended actions and resources that critical infrastructure entities should implement to reduce the risk of this threat.
  • Current Activity: Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware 
    • On May 19, a downloadable STIX file of indicators of compromise (IOCs) was added to the advisory to help network defenders find and mitigate activity associated with DarkSide ransomware. 
  • Alert (AA21-131A): DarkSide Ransomware 
    • CISA and FBI are aware of a ransomware attack affecting a critical infrastructure (Cl) entity-a pipeline company-in the United States. Malicious cyber actors deployed DarkSide ransomware, a ransomware-as-a-service (RaaS) variant, against the pipeline company's information technology (IT) network. This joint advisory provides technical details on the DarkSide actors, some of their known tactics and preferred targets, and recommended best practices for preventing business disruption from ransomware attacks. 
  • Analysis Report (AR21-126A): FiveHands Ransomware
    • Recently, threat actors successfully launched a cyberattack against an organization using a new ransomware variant, which CISA refers to as FiveHands. The actors used publicly available penetration testing and exploitation tools, FiveHands ransomware, and SombRAT remote access trojan (RAT), to steal information, access credentials, obscure files, and demand a ransom from the victim. In addition to mitigation recommendations, this report provides the tactics, techniques, and procedures the threat actors used as well as indicators of compromise (IOCs).
  • Alert (AA21-076A): TrickBot Malware
    • CISA and FBI have observed continued sophisticated spearphishing campaigns using TrickBot malware in North America. Cybercrime actors are luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot, a Trojan first identified in 2016. Attackers can use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader. 
  • Current Activity: SMB Security Best Practices
    • In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems. The Current Activity includes recommendations for users and administrators. 
  • Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
    • Numerous reports of ransomware attacks against kindergarten through twelfth grade (K-12) educational institutions continue to be reported to CISA, FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. In response to this ransomware threat and other malicious cyber activity (such as data theft and disruption of distance learning), CISA, the FBI, and the MS-ISAC published a joint advisory that provides an assessment on recent attempts of malicious cyber actors to target K-12 educational institutions and how to mitigate these cyber-attacks. 
  • Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector
    • Joint cybersecurity advisory from CISA, the FBI, and the Department of Health and Human Services (HHS), describing the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
  • Alert (AA20-183A): Defending Against Malicious Cyber Activity Originating from Tor
    • This advisory—written by CISA with contributions from the FBI—highlights risks associated with Tor, along with technical details and recommendations for mitigation. 
  • Alert (AA20-107A): Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
    • This Alert provides an update to CISA Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.
  • Alert (AA20-106A): Guidance on the North Korean Cyber Threat
    • This advisory from the U.S. Departments of State, the Treasury, and Homeland Security, and the FBI is a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public, and it provides recommended steps to mitigate the threat. 
  • Joint Statement: U.K. and U.S. Security Agencies Issue COVID-19 Cyber Threat Update
    • A joint advisory by the UK’s National Cyber Security Centre (NCSC) and CISA shows that cyber criminals and advanced persistent threat (APT) groups are targeting individuals and organizations with a range of ransomware and malware.
  • Alert (AA20-099A): COVID-19 Exploited by Malicious Cyber Actors
    • This joint alert from the CISA and the United Kingdom’s National Cyber Security Centre (NCSC) provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. 
  • Alert (AA20-049A): Ransomware Impacting Pipeline Operations
    • CISA advisory encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.
  • Alert (AA20-010A): Continued Exploitation of Pulse Secure VPN Vulnerability
    • Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. 
  • Alert (AA19-339A): Dridex Malware
    • This joint U.S. Department of Treasury and CISA alert informs the financial services sector about the Dridex malware and variants. 
  • Joint Statement: CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action to Safeguard Against Ransomware Attacks
    • CISA along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) issued this joint statement to their State, local, territorial and tribal government partners, to take essential actions to enhance their defensive posture against ransomware. 
  • Alert (AA18-337A): SamSam Ransomware
    • DHS and the FBI issued this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. 
  • Alert (TA18-201A): Emotet Malware
    • This joint Technical Alert (TA) from DHS and the Multi-State Information Sharing & Analysis Center (MS-ISAC) examines Emotet, an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans.
  • Alert (TA17-181A): Petya Ransomware
    • This Alert reflects the U.S. Government's public attribution of the "NotPetya" malware variant to the Russian military.
  • Alert (TA17-132A): Indicators Associated With WannaCry Ransomware
    • This Alert reflects the U.S. Government's public attribution of the "WannaCry" malware variant to the North Korean government.
  • Alert (TA16-091A): Ransomware and Recent Variants
    • DHS, in collaboration with Canadian Cyber Incident Response Centre (CCIRC), released this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.
  • Alert (TA14-295A): Crypto Ransomware 
    • This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with DHS to provide further information about crypto ransomware, specifically to: present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and provide prevention and mitigation information.
  • Alert (TA13-309A): CryptoLocker Ransomware Infections
    • This Alert from US-CERT provides recommendations to users and administrators to take preventative measures to protect their computer networks from a CryptoLocker infection.