- The Washington Times - Wednesday, June 28, 2023

The federal government’s leading domestic cyber agency said Wednesday it has warned hundreds of entities about looming ransomware attacks before they occurred, which enabled people to prevent getting victimized.

Ransomware gangs have ripped through American computer networks during President Biden’s tenure, particularly affecting critical infrastructure targets including healthcare, gas pipelines and government systems.

The Cybersecurity and Infrastructure Security Agency is in the early stages of implementing new programs to warn people about cyberattacks inside networks and vulnerabilities in devices that are likely to be exploited.

CISA executive director Brandon Wales said Wednesday that his agency has leveraged relationships with cybersecurity companies to gather the information it uses to alert people that they are in hackers’ crosshairs before a cyberattack starts.

“In this calendar year alone, we’ve done over 430 pre-ransomware notifications, both in the United States and including some overseas working with our international partners,” Mr. Wales said at a Cipher Brief summit.

Mr. Wales cited Equifax, the consumer credit reporting company, as a beneficiary of CISA’s new notifications.

Smaller institutions and those without robust digital defenses have sometimes suffered permanent consequences from the recent spate of ransomware attacks. For example, St. Margaret’s Health, a rural hospital network in Illinois, closed its doors earlier this month and cited a cyberattack as a factor contributing to its demise.

The ransomware warning system is brand new and the jury is still out on how well it works. However, the Biden administration’s track record of defending the country against cyberattacks has been spotty at best.

During the Cipher Brief summit, Mr. Wales touted CISA’s notifications as a new tool that has proven tremendous at making the difference between shuttering schools and disrupting hospitals.

Since the Russia-linked DarkSide ransomware gang hit major U.S. fuel supplier Colonial Pipeline in 2021, however, hacks and breaches spreading from Russia-linked cyber gangs have persisted.

The latest Russia-linked ransomware crew wreaking havoc in the U.S. is Cl0p, which started exploiting a vulnerability in Progress Software’s MOVEit managed file transfer solution last month, according to the FBI and CISA.

The gang has victimized 134 organizations as of Wednesday, according to Emsisoft threat analyst Brett Callow. The victims included more than a dozen state and federal government targets. The Department of Energy and state networks for Illinois and Missouri are among the known victims.

Mr. Wales said his agency has made 26 notifications of vulnerabilities to entities in the U.S. about the MOVEit conundrum and plans to “probably do another 80 to 90 in the next round of notifications in the next seven days.”

“We have the ability to both think strategically about how to use this but also how to pivot fast when we need to,” Mr. Wales said.

Mr. Callow said more than 15 million people’s data is affected by the Cl0p breaches, though only eight of the 134 victimized organizations he has tracked have confirmed how many individuals were affected.

Details about Cl0p’s identity are hazy. In 2021, the Health and Human Services Department published an analyst’s note linking Cl0p to a cyber threat group believed to operating from somewhere within the Commonwealth of Independent States, including former Soviet Union countries.

The State Department offered a reward of up to $10 million earlier this month for information linking the Cl0p ransomware gang to a foreign government.

Clarification: After publication, CISA said its executive director, Brandon Wales, misspoke at the Cipher Brief summit and misidentified the consumer credit reporting agency that benefited from an early warning about a ransomware attack.  The credit agency was Equifax.

• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.

Copyright © 2024 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.