Washington Steps Up Anti-Ransomware Efforts, Again

The Cybersecurity and Infrastructure Security Agency (CISA) announced a new pilot program last week to warn critical infrastructure operators about vulnerabilities in their systems that ransomware actors regularly exploit. The initiative demonstrates the Biden administration’s continued commitment to combat ransomware against the private sector.

The purpose of CISA’s Ransomware Vulnerability Warning Pilot (RVWP) is to help companies identify and fix vulnerabilities on their networks that may have eluded them. The program uses CISA’s existing services, data sources, technologies, and authorities to identify the security vulnerabilities that ransomware actors are using and find internet-connected devices susceptible to attack. CISA regional staff then email and call the affected companies.

The pilot’s first operation notified 93 organizations that their systems contained a vulnerability in Microsoft Exchange servers called “ProxyNotShell.” CISA’s notification included recommendations on how to fix affected systems. Microsoft had issued a patch in November, but ransomware actors — including the new “Play” or “PlayCrypt” group — have continued to target unpatched systems. Play was responsible for a ransomware attack in December against the Texas-based cloud computing company Rackspace that shut down email service for thousands of Rackspace customers.

Building on other anti-ransomware efforts, CISA established the new pilot consistent with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Since President Biden signed the legislation in March 2022, much of the policy discussion has focused on the statute’s requirements that critical infrastructure owners and operators report cyber incidents to the U.S. government. But the law also authorizes new government efforts, like the RVWP, in order to provide better information and support to private industry and to improve coordination between government agencies through the establishment of the Joint Ransomware Task Force, led by CISA and the Federal Bureau of Investigation (FBI).

Indeed, the FBI has undertaken a parallel push to combat ransomware. Two days after CISA’s announcement, the FBI and international partners disabled a cryptocurrency mixer that cybercriminals had been using to launder ransomware payments and other illicit funds. This was another step in a series of Justice Department efforts to disrupt ransomware actors by arresting individuals and seizing digital infrastructure.

The activities of CISA and the FBI align with the Biden administration’s new National Cybersecurity Strategy, which commits to “bolstering critical infrastructure resilience to withstand ransomware” and “using law enforcement and other authorities to disrupt ransomware infrastructure and actors.”

It is too early to judge whether CISA’s pilot will actually reduce vulnerabilities and enhance resilience. To succeed, CISA likely also needs to provide technical support to notified companies. If notified companies are indeed unaware of the problems in their internet-facing devices, they probably also lack the technical workforce to mitigate their weaknesses. The staff of CISA’s regional offices, however, are not currently equipped to provide the kind of follow-on support these companies will need to act on the RVWP notification.

CISA’s proposed fiscal year 2024 budget delineates $98 million to support the implementation of CIRCIA and $177.6 million for additional critical infrastructure security efforts “through risk management and collaboration with the critical infrastructure community.” CISA — and its congressional overseers — should ensure the agency uses the funds not just to ingest data and churn out notifications but to actually help critical infrastructure owners and operators — particularly small and mid-sized companies — become more resilient.

Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD research fellow. Elysse Gregor is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Annie on Twitter @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.