The practice of cybersecurity is ever-changing, marked by a continual dance between the attackers and the defenders. Each side is in a constant state of adaptation, reacting to the strategies of the other. The ongoing evolution of ransomware cybercrime is a prime illustration of this dynamic.

Historically, ransomware attacks were somewhat isolated events. Today, they have morphed into coordinated global threats that target essential infrastructure, seeking substantial ransoms. The audacious attack on UnitedHealth by the BlackCat/ALPHV ransomware gang in February 2024 emphasizes acute vulnerabilities within vital sectors and showcases the insolent nature of these cybercriminals. 

It would make sense to assume that these two operations were among the efforts carried out by the International Counter Ransomware Task Force (ICRTF). The ICRTF was formally established in January 2023, as part of the White House-led International Counter Ransomware Initiative (CRI), bringing together policy, law enforcement and operational agencies from around the world with a shared desire to defend against and disrupt ransomware, while building resilience against malicious cyber actors. To disrupt ransomware, the members aim to alter the current cost-reward-risk equation of cybercriminals. By increasing the cost of attacks (e.g., as a result of the need to recover damaged infrastructures), reducing the reward (e.g., through restrictions on ransom payments) and elevating the risk of legal consequences (e.g., through international law enforcement cooperation), the initiative seeks to undermine the currently lucrative ransomware business model. 

Strategic campaigns significantly impact the overall strategic environment, often forcing adversaries to reevaluate and alter their schemes and approach. The ICRTF campaign is no different: as the current implementation changes the cost-reward-risk equation, it is possible that the cybercriminals will shift from few large-scale, high-stake ransomware attacks to a broader array of smaller-scale attacks. This strategic adjustment would be a calculated move by cybercriminals to reduce the costs and risks while compensating for the lower ransomware reward with quantity. The logic behind this focus is simple: they represent the low-hanging fruit with the least resistance.

This evolution could pose an increased risk to smaller organizations, which often have less robust cybersecurity defenses, making them attractive targets for ransomware gangs. If this shift occurs, it will eventually require a shift in the CRI’s focus towards the implementation of stringent cybersecurity protocols in small companies, including embracing basic cybersecurity practices and promoting a culture of security awareness across the board.

For now, there are four actions small and midsize organizations can take now to bolster their security posture against ransomware:

1. Raise awareness through training and education: Empower employees with knowledge on identifying phishing emails and suspicious links, as they are often the first line of defense against ransomware.
2. Keep systems updated: Regularly update all software to patch vulnerabilities that could be exploited by ransomware attackers.
3. Back up data: Implement a robust data backup strategy, ensuring backups are performed regularly and stored in a secure, off-site location or in cloud services. This reduces the impact of data loss in case of an attack.
4. Prepare an incident response plan: Formulate an incident response plan that includes specific procedures for ransomware attacks. This plan should detail roles and responsibilities, communication protocols and recovery processes to be efficiently activated in the event of an attack.