Ransomware Task Force Update : a Look at the Comprehensive Plan
Based on the input of at least 60 major stakeholders in the tech industry, the new report includes more than 50 high-level recommendations that, if implemented, would provide a cohesive action plan for private and public entities to combat the problem of ransomware.
That cooperation, between governments and the private section on an international level, may actually be the most challenging aspect of the report to implement. But nonetheless, this is a solid foundation that will hopefully pave the way for more robust counterattacks against the worst cyberthreat today.
Here’s a breakdown of what’s in the Ransomware Task Force update and why it matters.
The work of the Ransomware Task Force (RTF) began in December 2020, pulling together a wide range of experts in cybersecurity, disaster recovery and other industries. Involved parties have been drawn from government, law enforcement, tech, the insurance industry, research and more. According to the RTF leadership, the early reception to its new report has been positive, but a lot more needs to happen to see real results.
How we got here
Ransomware has been a rapidly growing problem over the past five years.
For a while, individuals and small businesses were the primary target of these attacks, as they were the most likely to have little in the way of tech defense. Once in, the malware would lock up data across the user’s PC and network. Hackers would charge a relatively small but painful ransom in exchange for restoring systems – enough to make it profitable, but not too steep for victims to afford.
However, over time, hackers started going after bigger and bigger targets that could pay far more. Today, ransomware is everybody’s risk. Hackers launch their attacks both indiscriminately via mass spam campaigns, as well as with precision targeting. Victims today include large and small businesses, healthcare organizations, state and local governments and companies in virtually every industry.
A lack of response = a worsening situation
Some businesses have adapted quickly to mitigate the impact of a ransomware attack, deploying critical technology like a data backup and disaster recovery system. These solutions can effectively restore the encrypted data back to normal, removing the infection and eliminating the question of paying the ransom or not.
However, many still pay the ransom in a desperate attempt to get their systems back, and this is what makes ransomware so lucrative for cybercriminals around the globe. And, even worse, ransomware has been added to the stable of nation-state weapons, being used by country agencies to cause disruptive damage to adversaries. All these developments have increased the pressure for something effective to be done about ransomware before it gets worse.
4 key goals of the Ransomware Task Force’s report
The RTF groups their recommendations into four categories of action:
- Disrupt the ransomware business model
- Deter ransomware attacks with a cohesive strategy
- Prepare organizations to combat ransomware
- Respond to attacks more effectively
Let’s take a closer look at the specific recommendations within each of these core goals.
“Disrupt the ransomware business model and decrease criminal profits”
RTF’s report says this goal can be achieved via three key objectives:
- Disrupt payment systems to make ransomware attacks less profitable
- Disrupt the infrastructure used to facilitate attacks
- Disrupt ransomware actors themselves, through criminal prosecution and other tactics
What it means:
Since ransomware is primarily activity intended to generate illegal payments, a typical government approach is to cut off of the payment systems and incentives that make the activity profitable. For example, when governments wanted to shut down Wikileaks, they couldn’t attack the site directly since its servers were not in the targeted country. Instead, they put pressure on the banking and payment tools that allowed cash to flow to Wikileaks, specifically credit card systems and digital payment systems. When those were cut off, Wikileaks started to struggle and collapse due to a loss of money availability.
A disruption strategy on ransomware follows a similar strategy:
- Cut off the hackers from their cash flow
- The effort then dries up and goes away by attrition (in theory)
Of course, disruption at a national or global level is far more active than just cutting off a bank or digital payment tool. Instead, it focuses on diplomatic pressure on the countries and authorities that shelter characters engaging in ransomware across borders. That, however, can have collateral damage that can last for years afterwards, so it has to be surgical and selective when applied.
RTF recognized the above risks and framed the ransomware issue in terms lawmakers could align themselves with easily: a national and international security problem. Since ransomware attackers typically require their ransom payments be sent via untraceable cryptocurrency, several of the Ransomware Task Force’s objectives focus on those payment systems:
- Develop new levers for voluntary sharing of cryptocurrency payment indicators
- Require cryptocurrency exchanges, crypto kiosks and over-the-counter (OTC) trading “desks” to comply with existing laws
- Incentivize voluntary information sharing between cryptocurrency entities and law enforcement
- Centralize expertise in cryptocurrency seizure, and scale criminal seizure processes
- Improve civil recovery and asset forfeiture processes by kickstarting insurer subrogation
- Launch a public campaign tying ransomware tips to existing anti-money laundering whistleblower award programs
- Establish an insurance-sector consortium to share ransom
- Leverage the global network of ransomware investigation hubs
- Clarify lawful defensive measures that private-sector actors can take when countering ransomware
- Increase government sharing of ransomware intelligence
- Create target decks of ransomware developers, criminal affiliates and ransomware variants
- Apply strategies for combating organized crime syndicates to counter ransomware developers, criminal affiliates and supporting payment distribution infrastructure
“Deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy”
RTF identifies three key governmental objectives that can help to deter ransomware attacks:
- Signal to cybercriminals that ransomware is an international diplomatic and enforcement priority
- Advance a comprehensive, whole-of-U.S. government strategy for reducing ransomware attacks, led by the White House
- Substantially reduce safe havens where ransomware actors currently operate with impunity
What it means:
Another common government response is to create enough of a deterrence that those who are contemplating engaging in ransomware are convinced it’s a bad idea.
Passing laws are often thought of as an easy deterrence approach: make the potential legal punishment as bad as possible, then people won’t go near the risk. In reality, ransomware has been so rewarding, and it has been so difficult to pursue individual hackers, that basic U.S. laws have not been enough. The Ransomware Task Force has thus emphasized that deterrence needs to be more than threats of punishment against just the individual criminals. Pressure must also be put on groups and nations who willingly or passively help ransomware criminals get away with what they do.
Again, the ultimate objective here is to remove the incentives for cybercriminals on an international scale, while also “scaring” hackers away. By creating enough of a global deterrence, the ransomware market will naturally begin to decline.
So, how exactly does the RTF envision creating an internationally coordinated strategy? For this to be feasible, here is what the task force says needs to happen:
- Issue declarative policy through coordinated international diplomatic declarations that ransomware is an enforcement priority
- Establish an international coalition to combat ransomware criminals
- Create a global network of ransomware investigation hubs
- Convey the international priority of collective action on ransomware via sustained communications by national leaders
- Establish an Interagency Working Group for ransomware
- Establish an operationally focused U.S. Government Joint Ransomware Task Force (JRTF) to collaborate with a private-sector Ransomware Threat Focus Hub
- Conduct a sustained, aggressive, public-private collaborative anti-ransomware campaign
- Make ransomware attacks an investigation and prosecution priority, and communicate this directive internally and to the public
- Raise the priority of ransomware within the U.S. Intelligence Community, and designate it as a national security threat
- Develop an international version of an Intelligence Community Assessment (ICA) on ransomware actors to support international collaborative anti-ransomware campaigns
- Exert pressure on nations that are complicit or refuse to take action
- Incentivize cooperation and proactive action in resource-constrained countries
“Help organizations prepare for ransomware attacks”
A significant amount of the RTF report’s recommendations also focuses on prevention through education and guidance for organizations.
These recommendations are designed to address several critical problems, as the report states:
- “The majority of organizations lack an appropriate level of preparedness to defend against [ransomware] attacks.”
- “Even firms that have invested in cybersecurity broadly may be unaware of how to prepare for, and defend specifically against, ransomware attacks, and information available is in many cases oversimplified or excessively complicated”
What it means
Up to now, defense against ransomware has been a bit of the Wild Wild West. Many organizations are relying on outdated data backup systems, combined with a disparate mess of cybersecurity solutions, that do not provide adequate protection against ransomware. The Task Force identified that, while the number of potential solutions is wide-ranging, the bigger issue is helping companies know what to apply and how to do it properly.
The report points out that more than $350 million in ransom was paid out in 2020, a 311% increase over the previous year. But that figure does not even take into account the full cost of a ransomware attack, which can sideline businesses for weeks, idling employees and racking up thousands of dollars in losses with each passing minute.
Helping organizations prepare for these attacks is thus one of the most effective ways to combat the overall problem of ransomware. If businesses no longer need to pay the ransom, then attackers will no longer make any money.
The greatest challenge is creating an effective means for delivering this training, insight and tools to the right audiences. Ideally, both cybersecurity leaders and government agencies need to work together to ensure that organizational leaders fully understand the threat and how to combat it, especially as ransomware tactics evolve over time.
Here are the key action steps recommended by the Ransomware Task Force:
- Develop a clear, actionable framework for ransomware mitigation, response and recovery
- Develop complementary materials to support widespread adoption of the Ransomware Framework
- Highlight available internet resources to decrease confusion and complexity
- Develop business-level materials oriented toward organizational leaders
- Run nation-wide, government-backed awareness campaigns and tabletop exercises
- Update cyber hygiene regulations and standards
- Require local governments to adopt limited baseline security measures
- Require managed service providers to adopt and provide baseline security measures
- Highlight ransomware as a priority in existing funding provisions
- Expand Homeland Security Preparedness grants to encompass cybersecurity threats
- Offer local governments, SLTTs and critical NGOs conditional access to grant funding for compliance with the Ransomware Framework
- Alleviate fines for critical infrastructure entities that align with the Ransomware Framework
- Investigate tax breaks as an incentive for organizations to adopt secure IT services
“Respond to ransomware attacks more effectively”
The Ransomware Task Force makes three core recommendations for responding to attacks:
- Increase support for ransomware victims
- Increase the quality and volume of information about ransomware incidents
- Require organizations to consider alternatives to paying ransoms
What it means:
When ransomware attacks happen, many victims rightfully go into a panic. The first discovery of an attack is typically one where the victim finds out after the hacker is already inside their system, and data has been encrypted across the network. Even with backups, some organizations are desperate to get their systems up and running again, or else the losses can be catastrophic.
So, what do they do? Does the company take the gamble of paying the ransom, with the hope that hackers will immediately comply? Or do they wait it out and continue with their own recovery (which may never be possible if the right backup systems aren’t in place).
The Ransomware Task Force is emphasizing the importance of training companies how to respond without paying the ransom. Collectively, avoiding these payments altogether will begin to cut down on the impact of ransomware.
Thus, response involves several layers of action: better education and tools for organizations, more support for victims so that they don’t pay the ransom and better reporting of each incident. Specifically, the RTF emphasizes information sharing on attacks: the more that is known about ransomware attacks and how they are applied helps create better shared defenses, as well as more concrete response guidelines for other organizations. As collected, the attack information should also be archived centrally in what the RTF refers to as a Ransomware Incident Response Network or RIRN. This would provide a protocol for how to report information, compile it in a standardized format and emphasize incident reporting as the correct course of action in all circumstances.
If a company decides that a ransom payment is the best course of action, then the RTF recommends that that company share its incident situation and details with the government. In many cases this is already standard procedure, but some organizations understandably want to keep cybersecurity incidents under wraps. The RTF’s recommendation would mandate that companies report these incidents.
Here are the key action steps recommended by the task force:
- Create ransomware emergency response authorities
- Create a Ransomware Response Fund to support victims in refusing to make ransomware payments
- Increase government resources available to help the private sector respond to ransomware attacks
- Clarify U.S. Treasury guidance regarding ransomware payments
- Establish a Ransomware Incident Response Network (RIRN)
- Create a standard format for ransomware incident reporting
- Encourage organizations to report ransomware incidents
- Require organizations and incident response entities to share ransomware payment information with a national government prior to payment
- Require organizations to review alternatives before making payments
- Require organizations to conduct a cost-benefit assessment prior to making a ransom payment
- Develop a standard cost-benefit analysis matrix
The Ransomware Task Force has put together an impressive plan for combatting the problem of ransomware. While the recommendations are relatively broad overall, they represent the clearest outline yet for disrupting the ransomware market and, hopefully, defeating it once and for all.
It’s no secret that ransomware is now a serious cybersecurity problem affecting every industry, including both small businesses and global enterprises. The RTF’s guidelines provide a framework for deterring ransomware activity, making it more difficult for attackers, helping businesses prepare for an attack and creating a more consistent response to each incident. The greatest challenge, however, will be applying these recommendations on a global scale, so that organizations and the public sector are working together to fight the problem. The task force admits in its report that, if recommendations can’t be applied effectively, ransomware will only get worse.
For complete Ransomware Task Force update or to request a free BC/DR demo
To learn more about combating ransomware at your organization based on the RTF recommendations, contact our business continuity experts at Invenio IT. Call (646) 395-1170, email success@invenioIT.com or request a free demo of advanced data backup and disaster recovery solutions from Datto – an RTF member and stakeholder.