Last year, approximately 1,750 organizations were alerted by CISA regarding potential ransomware vulnerabilities, with merely half taking any subsequent action.
The Cybersecurity and Infrastructure Security Agency (CISA) has been sending ransomware vulnerability warnings to critical infrastructure organizations since 2023, yet available data suggests that these organizations are still facing significant challenges in mitigating ransomware risks effectively after receiving these warnings.
In 2023, CISA sent 1,754 ransomware vulnerability warnings to critical infrastructure organizations across various sectors, including energy, financial services, transportation, critical manufacturing, and IT. One-quarter of these alerts were sent to healthcare and public health organizations. However, only 852 of the 1,754 organizations that received warnings took action to mitigate vulnerable devices in their systems.
The continued rise in exploitation of known vulnerabilities, key entry points for ransomware, suggests incomplete patching and mitigation among critical infrastructure organizations. For example, vulnerability exploitation was the initial access method in 20% of breaches in 2025, with an increasing trend of attacks exploiting unpatched flaws.
Ransomware attacks on industrial operators surged 46% in early 2025, while healthcare organizations experienced a 53% success rate for ransomware attacks despite ongoing warnings and risk advisory. This indicates that while CISA is proactive in identifying and communicating cybersecurity risks and vulnerabilities, many organizations are struggling to fully remediate after receiving warnings.
CISA conducts proactive threat hunts and issues advisories, but it does not publicly track or disclose how many organizations fully remediate after receiving warnings. One recent CISA threat hunt found no active threat actor presence but multiple cybersecurity risks that could be exploited, indicating that warning issuance often identifies issues before exploitation.
Jason Soroko, a cybersecurity expert, expressed disappointment about critical infrastructure organizations lagging behind their enterprise counterparts in dealing with security controls. He stated that it is going to be a long road to correcting the lack of focus on security controls in critical infrastructure organizations.
Cybersecurity concerns in critical infrastructure organizations might run into serious roadblocks when implementing security controls that complicate uptime guarantees. Internet devices and services can be ephemeral, and the analysis of CISA's ransomware vulnerability warnings may not account for devices that are online during one scan, offline during the next, and online again at a later date.
Despite these challenges, the efforts of CISA and the Joint Ransomware Task force are not magic solutions, but they play a significant role in reducing the number of attacks. Without these efforts, the number of attacks would be much higher. However, a precise metric for post-warning remediation success rate is not publicly reported, underscoring a gap in publicly available outcome data from CISA advisories.
Corporate stakeholders want to better understand the risk calculus of their technology stacks, specifically whether they are a potential target. Emily Austin, principal security researcher at Censys, stated that it's difficult to broadly gauge the success of CISA's RVWP effort thus far without knowing more underlying measurements.
In summary, while CISA provides warnings and assists in identifying vulnerabilities, the available data indicates that critical infrastructure organizations still face significant challenges in mitigating ransomware risks effectively after warnings. Attack success rates remain high in critical sectors, suggesting room for improvement in implementing recommended mitigations post-warning.
- Despite CISA's proactive efforts in identifying and communicating cybersecurity risks and vulnerabilities, many critical infrastructure organizations are still struggling to fully remediate after receiving ransomware vulnerability warnings.
- The continued rise in exploitation of known vulnerabilities among critical infrastructure organizations indicates incomplete patching and mitigation, with ransomware attacks still causing significant challenges in sectors like healthcare and industrial operations.
- Corporate stakeholders are urging for a clearer understanding of the post-warning remediation success rate, as they seek to better comprehend the risk calculus of their technology stacks and assess whether they are potential targets for ransomware attacks.
