More than 60 experts from industry, government, law enforcement, civil society and international organizations have worked together to develop a comprehensive framework, breaking down siloed approaches and advocated for a unified, aggressive, comprehensive, public-private anti-ransomware campaign.
The 81-page report, "A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force," includes 48 recommendations that together form a comprehensive framework to address ransomware. The report was delivered to the Biden administration this week. Among those, these priority recommendations are the most foundational and urgent, and many of the other recommendations were developed to facilitate or strengthen these core actions.
- Coordinated, international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
- The United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House. This must include the establishment of 1) an Interagency Working Group led by the National Security Council in coordination with the nascent National Cyber Director; 2) an internal U.S. Government Joint Ransomware Task Force; and 3) a collaborative, private industry-led informal Ransomware Threat Focus Hub.
- Governments should establish Cyber Response and Recovery Funds to support ransomware response and other cybersecurity activities; mandate that organizations report ransom payments; and require organizations to consider alternatives before making payments.
- An internationally coordinated effort should develop a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks. In some under-resourced and more critical sectors, incentives (such as fine relief and funding) or regulation may be required to drive adoption.
- The cryptocurrency sector that enables ransomware crime should be more closely regulated. Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.
The strategic framework aims to help policymakers and industry leaders take system-level action — through potential legislation, funding new programs, or launching new industry-level collaborations — that will help the international community build resistance, disrupt the ransomware business model, and develop resilience to the ransomware threat.
The framework is organized around four goals: deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; disrupt the ransomware business model and reduce criminal profits; help organizations prepare for ransomware attacks; and respond to ransomware attacks more effectively. "These goals are interlocking and mutually reinforcing. For example, actions to disrupt the ransomware payments system will decrease the profitability of ransomware, thereby helping to deter other actors from engaging in this crime. Thus, this framework should be considered as a whole, not merely a laundry list of disparate actions," the report says.
Here's what security experts had to say about this initiative.
Anthony Pillitiere, Co-Founder and CTO at Horizon3.AI:
This hits at the heart of the matter in cybersecurity...the economics of an attack. While I believe this is a great step, it's a bit late in the game. Criminals are already seeing that the "don't pay" message is starting to stick, as only 27% of victims are paying. As the money dries up, a new tactic of "breach-as-a-service" is growing in popularity. Criminals are taking a lesson from the gold rush - once the peak is hit, you can generate a longer term revenue stream from selling pickaxes to the laggards. The 2021 DBIR analysis shows that credential and brute force attacks are the source of 80% of breaches. Organizations need to focus on the fundamentals of security, which includes good IDAM hygiene, continuous assessment, and the adoption of a purple culture - using offensive actions to inform defensive actions and focus efforts on the issues most likely to impact business first.
Tyler Shields, CMO at JupiterOne:
Targeting the financial side of the equation will help quite a bit. That model is really focused on what happens after the breach and once the target has been compromised. While there is a lot of value in frustrating criminals with money tracing and tracking and locking down the funds, a prevention strategy must also be employed. Making sure that potential targets of ransomware have visibility into their cyber universe - what exists, where it exists, and if it's properly secured goes a long way to making ransomware attacks more difficult. At the end of the day, nothing will completely stop these attacks and we can primarily hope to raise the bar of difficulty to an unmanageable level.
Douglas Murray, CEO at Valtix:
The threat landscape is an ever evolving and critical matter for both the public and private sector. This is challenging because it requires cooperation across multiple companies in the private sector […many of which compete with each other], as well as various governments, to come together to solve. While incredibly complex, we have to get this right and in real-time as newer ransomware is detected anywhere around the globe. We need to protect our infrastructure, while upsetting the bad actors business model . This threat feed can be ingested by security services to allow government and enterprises to appropriately respond to these attacks. Urgency here is critical.
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT):
It is time to have such an initiative in place. It was surely propelled by the recent developments with Emotet (which was used to drop various ransomware strains) and the takedown of web-shells, that the initiators of the task force do think they can make that move. It will be more a question of convincing lawmakers across the globe to actually join that coalition, to work out or improve their own country’s legal frameworks, so that ransomware gangs can effectively be prosecuted or at least the market structure is changed so much that they get frustrated and leave that business. That is by all means not a sprint. It will be interesting to see whether they can get a large number of nations to join that coalition. There is also a good chance that crypto-currencies will label this initiative as a bait to get regulations for their markets in place. The idea to ‘create a Ransomware Response Fund to support victims in refusing to make ransomware payments’ is astonishing at first sight. By instinct one would ask why, as the victim wasn’t able to secure their systems and network properly so they got caught. But that would reject the notion that there is no such thing as 100% security.