Task force proposes framework for combatting ransomware

Ransomware, the “perfect crime” of the internet era, is spreading rapidly, growing according to some accounts by 150% or more in 2020. There are no signs of a slow-down in 2021. The average ransom demanded by attackers jumped 43% from Q4 2020 to Q1 2021 to $220,298 as threat groups target bigger and more vulnerable organizations, from police forces to hospitals to municipal school districts.

Two significant factors aid the inevitability of ransomware. The first is the ease with which cybercriminals can earn money from their ransomware endeavors. The second factor bolstering the ransomware market is the inability of law enforcement or government officials to do much of anything about these kinds of attacks.

Acknowledging that the ransomware problem has gone from bad to worse, the Biden administration’s Justice Department has launched a task force that reportedly targets the entire digital ecosystem that supports ransomware. That task force consists of the Justice Department’s criminal, national security, and civil divisions, the Federal Bureau of Investigation (FBI), and the Executive Office of US Attorneys, which supports the 93 top federal prosecutors across the country.

Now a 60-plus member coalition of volunteer experts from industry, government, law enforcement, insurers, international organizations, and other areas has put forth a comprehensive framework of 48 actions that government and industry can pursue to disrupt the ransomware market. The Ransomware Task Force, primarily organized by the Institute for Security and Technology, is issuing a report today called Combatting Ransomware, A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force.

Five priority ransomware recommendations stand out

Out of its 48 recommended actions, the task force identified five as “priority” recommendations:

1. Coordinated international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
2. The United States should lead by example and execute a sustained, aggressive, whole-of-government, intelligence-driven antiransomware campaign, coordinated by the White House. In the US, this must include:
   • The establishment of an interagency working group led by the National Security Council (NSC) in coordination with the nascent National Cyber Director
   • An internal US government joint ransomware task force
   • A collaborative, private industry-led informal ransomware threat focus hub
3. Governments should establish cyber response and recovery funds to support ransomware response and other cybersecurity activities, mandate that organizations report ransom payments, and require organizations to consider alternatives before making payments.
4. An internationally coordinated effort should be mounted to develop a clear, accessible and broadly adopted framework to help organizations prepare for and respond to ransomware attacks. In some under-resourced and more critical sectors, incentives (such as fine relief and funding) or regulation may be required to drive adoption.
5. The cryptocurrency sector that enables ransomware crime should be more closely regulated. Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with existing laws, including know your customer (KYC), anti-money laundering (AML), and combatting financing of terrorism (CFT) laws.

Unlike many other types of cybercrime, ransomware poses a unique national security threat, imperiling lives with threats to critical infrastructure, risks to public health, diversion of vital public resources, loss of data and privacy, and disruption of schools and colleges, according to the report. The economic impact goes beyond the cost of the ransom and includes downtime and remediation, which can reach multiples of the absolute dollar amounts demanded.

Compounding the problem of ransomware is the role of insurance companies, which might inadvertently encourage more attacks by serving as backstops for organizations hit by ransomware attacks. To that end, the report lists ways the insurance industry can help, including driving baseline security requirements for insurability.

Relationship between ransomware and national governments a top focus

The task force is particularly interested in the relationship between ransomware and national governments. The report notes that “many ransomware criminals operate with impunity as their countries’ governments are unwilling or unable to prosecute this form of crime.” In contrast, in other cases, the ransomware attackers are state-sponsored.

“We haven’t really focused on the ransomware problem, either as a global community or a US community, as much as we need to,” Chris Painter of the Global Forum on Cyber Expertise Foundation Board and one of the Ransomware Task Force’s Working Group co-chairs, tells CSO. “I don’t think we have a good sense of the enormity of the costs. This rises to the level of nation-state threats [such as the recent SolarWinds hack].”

Although some developments are underway to help tackle the rising tide of ransomware, they’re not enough, Painter says. “There’s been a number of good actions against ransomware and ransomware targets. The Emotet take-down was one of them recently, some of the work that Europol has been doing through No More Ransom. All those things are great. But we don’t have a concerted approach to this where we’re really taking all the instruments we have both nationally and internationally and combining them to make this a priority and go after it. If we don’t do that, it’s only going to become worse.”

The task force’s ultimate goal is to make it difficult for cybercriminals to go after what is now easy money in ransomware assaults. “How do we make it more difficult for them? We raise the cost for these actors,” Painter says. “You go after how they make money, the cryptocurrency. We go after their infrastructure. The Emotet operation was one of those. You harden the targets and make this less profitable for the ransomware actors.”

International goals are key to reducing ransomware’s appeal

The international aspect of the task force’s operation is central to reducing ransomware’s attractiveness. “There are two parts of that to me,” Painter, who headed up the first cybersecurity office in the State Department under President Obama, says. “One is building coalitions with other countries to go after these actors, which has been done to some extent like the take-down of Emotet, but expanding on that and having this strategic international approach where you’re prioritizing it.”

According to Painter, the second part of tackling ransomware is to go after the safe havens of ransomware actors protected by their governments. “I think those safe havens fall into two categories. One is the category of countries that are not doing enough, or maybe not doing anything right now,” he says. “We should be able to work with those countries to do things like joint investigations, capacity building and incentivize them to think that this is important.”

“The tougher nut is how do you deal with countries who are either encouraging it or certainly don’t have any interest in cooperating. Russia has always been a tough nut in the past. In the same way, we’re trying to respond to Russia with respect to things like SolarWinds, we need to turn up the heat. We need to use whatever tools we have, which could be sanctions, but it could go beyond that.