CISA's Pre-Ransomware Notification and You

On August’s SANS Stay Ahead of Ransomware livestream, we hosted Dave Stern from CISA to discuss the agency’s Pre-Ransomware Notification initiative. This program represents a critical evolution in defending against ransomware attacks, shifting from reactive response to proactive prevention through community collaboration and rapid notification. 

The Power of Early Warning 

Dave Stern, who has been with CISA for over a decade, working primarily with state-level governments, shared impressive metrics about the initiative's impact. Since late 2022, CISA has conducted more than 4,300 pre-ransomware notifications, potentially preventing an estimated $9 billion in economic damage. The initiative leverages information from security researchers and industry partners who identify early-stage ransomware activity. 

What makes this program particularly effective is its speed. CISA can notify potential victims in less than an hour, and most notifications happen the same day the intelligence is received. This rapid response is important, as modern ransomware operators can achieve domain admin control in as little as eight or nine minutes after initial access. 

Common Attack Vectors and Vulnerabilities 

During our discussion, Dave outlined the primary attack vectors CISA observes in their notifications: 

• Social Engineering: Particularly impersonation of IT staff over phone applications, with threat actors increasingly using AI to craft more convincing phishing messages in multiple languages. 

• Internet-Facing Vulnerabilities: Especially VPNs and, more recently, Microsoft SharePoint vulnerabilities tied to nation-state actors. 

• Malvertising: Abuse of search engine optimization to deliver impostor executables masquerading as legitimate applications. 

• Adversary-in-the-Middle Phishing Kits: Sophisticated services that can capture multi-factor authentication tokens 

These observations align with what we teach in FOR528: ransomware actors predominantly exploit known vulnerabilities rather than zero-days. Dave emphasized that CISA's free vulnerability scanning service flags vulnerabilities known to be exploited in ransomware attacks, providing prioritization guidance for overwhelmed security teams. 

Building Trust Through Collaboration 

We also covered why security researchers voluntarily share intelligence with CISA. Dave highlighted several key factors: 

• Altruistic Motivation: Researchers want to help protect organizations and the broader community. 

• Legal Protections: The Cybersecurity Information Sharing Act of 2015 provides certain liability protections for sharing cyber threat indicators. 

• Respect for Sharing Restrictions: CISA adheres strictly to Traffic Light Protocol (TLP) and other confidentiality requirements. 

• Feedback Mechanisms: CISA provides researchers with anonymized feedback about the outcomes of their shared intelligence. 

This collaborative approach extends internationally; CISA has sent notifications to over 60 national CERTs concerning affected entities in their jurisdictions. 

Challenges in Notification and Response 

We also discussed real-world challenges CISA faces when notifying potential victims. Some organizations are skeptical, thinking the outreach might be a scam. Dave noted this often reflects the maturity level of an organization's security program—specifically, whether it can quickly internalize and act on external threat intelligence. 

Dave shared several practical tips: 

• Know your regional CISA Cybersecurity Advisor (contact CISA Central if you don't). 

• Maintain current WHOIS information and consider implementing a security.txt file on your website along with security TXT records for your domain, (something I had not heard of before!) 

• Maintain an incident response plan that involves senior management and is regularly exercised. 

• Properly scope incidents—don't treat a malware infection as an isolated event when it could indicate broader identity compromise. 

Making Ransomware Unsustainable 

Throughout our conversation, we emphasized strategies to make the ransomware business model unsustainable. Beyond CISA's official stance of not recommending payment (noting that there's no guarantee of data recovery or deletion even after paying), Dave stressed the importance of sharing anonymized feedback with CISA. This information doesn't just help the government—it's "crowdsourced" to help protect future potential victims. 

Learning More and Looking Forward 

To learn more, watch the August 2025 episode of the SANS Stay Ahead of Ransomware livestream. 

You can also review the SANS Stay Ahead of Ransomware livestream playlist on YouTube. 

Join us next month on the first Tuesday at 1:00 PM Eastern for our next livestream, and check out upcoming SANS training events, including FOR528: Ransomware and Cyber Extortion, where we dive into the technical details of preventing, detecting, and responding to these attacks.