By Mackenzie Gryder, with Ben Taylor
This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
The Importance of Information Sharing.
From 2018 to present there has been a total record of 661,183,010 ransomware attacks, with an average ransom damage of $3,034,997. As the ransomware threat persists, and grows in scale and complexity, information sharing has never been more important. Information sharing is a critical piece in collective defense as it is impossible for any single organization to identify and mitigate all cyber attacks alone. In cybersecurity, effective information sharing will often include Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), which can assist in both threat identification and mitigation as well as incident response. The collaboration and information sharing can help detect patterns, uncover coordinated campaigns, and limit the spread of cyberattacks. It also fosters a collective defense posture, where the security of one organization contributes to the protection of the broader community. In the words Microsoft President Brad Smith, in his statement to Congress in the wake of the SolarWinds incident, “we will not solve this problem through silence.”
Is Sharing Information Safe?
Yes! That is, if you do it right. Before diving into the benefits of information sharing to boost resilience, we need to discuss two key elements that help facilitate the secure sharing of information. The Cybersecurity Information Sharing Act (CISA) of 2015, part of the larger Cybersecurity Act of 2015, is a US law that facilitates the sharing of cyber threat indicators and defensive measures between the private sector and the federal government, and among non-federal entities. This is important legislation to share within organizations, particularly with general counsel, to understand how sensitive information is protected.
Once an organization decides that they want to share information, understanding the Traffic Light Protocol (TLP) is important to set the parameters on how that information can controlled when shared. TLP facilitates the efficient dissemination of information in a way that is controlled by the original information owner. TLP categories span from TLP:CLEAR, which means shared information can be openly shared with the world, to TLP:RED indicating the information cannot go beyond the original recipient. Information sharing communities may refine TLP to best suit the needs and interests of their members.
Why Sharing Works.
Information sharing enhances threat detection, speeds up incident response, and creates a richer understanding of evolving threats. Some of the core benefits includes:
- Pattern Recognition: Shared reports help identify trends across regions, sectors, and even specific types of targets (i.e., CFOs) revealing coordinated attacks or emerging ransomware variants.
- Faster mitigation: Timely IOC and TTP disclosure enables peers to block malicious IPs, detect lateral movement, and reinforce defenses before being compromised.
- Public-private partnerships: By collaborating with entities like the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and state and local fusion centers, organizations contribute to national threat awareness and resilience and may receive valuable resources (from briefings to ransomware decryptors) and assistance as well.
- Community trust: Sharing fosters a sense of solidarity and mutual support, especially among sector-based organizations, regional partnerships, and small business coalitions.
When information sharing has been successful.
Information sharing has proven successful in several high-profile incidents, including during the 2017 WannaCry ransomware attack. Security researchers quickly identified a “kill switch” stopping the spread, and within a day various information sharing & analysis centers (ISAC) and National Computer Emergency Response Teams (CERT) began issuing alerts and Indicators of Compromise (IOCs). While WannaCry showed the positives of information sharing, it also highlighted the importance of acting on intelligence. Nearly two months before the attack, Microsoft released a patch for the vulnerability. Unfortunately many organizations failed to recognize the urgency of the patch or had difficulty updating legacy systems.
In a recent interview with Information Security Media Group, Magnus Jelen, lead director of incident response for the U.K. and EMEA at Coveware/Veeam attributed the increase in law enforcement takedowns of ransomware groups to “affected companies sharing information with law enforcement, which is a key factor.”
Additional considerations for effective information sharing.
- Establish relationship during steady-state operations in order to build trust.
- Formalize information sharing within your organization’s culture and considering codifying the relationship with your industry’s ISAC into company response plans.
- Assign responsibility: Give someone (or “someones”) in the organization responsibility to ensure information sharing occurs with designated partners. Give them the charge, the authority, the processes and the tools to make information sharing happen.
- Provide context: If able, in addition to any identifiable IOCs and TTPs, help explain what happened – how and why. Include the timeline, tools used by threat actors, response measures taken, and any lessons learned.
- Be timely: Time is critical. The faster information is shared, the more likely others can act on it to prevent similar attacks and breaches.
- Engage Continuously: Information sharing is not a one-time event. Make it part of your incident response playbook and stay connected to sharing communities year-round.
Insights from our Weekly Ransomware Report.
Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): DragonForce (4), Qilin (2), Play (2), and SAFEPAY(2).
- Data Leaked Place Homes, Inc., Construction, United States. A threat actor published sensitive data belonging to Place Homes, Inc., a U.S.-based construction firm, on a darknet data-leak site monitored by eCrime.ch exposing company or client information without authorization.
- Hy-Vee, Inc., Retail, United States. A threat actor deployed malware on Hy‑Vee’s point‑of‑sale systems at fuel pumps, drive‑thru coffee shops, Market Grilles, Wahlburgers, and its corporate cafeteria harvesting names, card numbers, expiration dates, and security codes.
Coming Up Next: “Lock It Down: Why MFA Isn’t Optional Anymore.”
Why it matters: Multi-Factor Authentication (MFA) is one of the simplest and most effective tools to stop attackers from walking through your digital front door. Implementing MFA across all systems reduces the risk of unauthorized access, making it more difficult for attackers to gain control of sensitive accounts. It’s a simple yet highly effective defense against credential-based attacks often used in ransomware incidents.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at Gate15@Gate15.global.
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.