The Ransomware Task Force (RTF) this week published a report detailing recommendations to fight back against the operators and infrastructure that drive ransomware, which its team of experts describes as a "serious national security threat" and "public health and safety concern."
More than 60 people from software companies, security vendors, government agencies, nonprofits, and academic institutions teamed up with the Institute for Security and Technology (IST) to create the RTF, which launched last December.
Participants include Microsoft, McAfee, Rapid7, Amazon, Cisco, the Cyber Threat Alliance, the Global Cyber Alliance, US Department of Justice, Europol, and the UK's National Crime Agency, among many others.
In their 81-page report, "A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force," experts share proposed guidance to deter ransomware attacks, disrupt its business model, help organizations prepare, and better respond to the global threat.
While other threats, such as business email compromise, also cause tremendous losses for businesses each year, RTF is focusing on ransomware because of its massive impact.
"One of the concerns we have is the scope and scale of ransomware," says Megan Stifel, executive director for the Americas at the Global Cyber Alliance and co-chair of the RTF. "It's holding parts of the ecosystem and the economy at risk, particularly aspects of critical infrastructure, that can give rise to a range of cascading consequences that in some cases individually, or certainly collectively, can create a significant national security problem."
RTF's framework arrives as ransomware attackers continue to evolve their strategies. Ransomware targeted the healthcare industry during a global pandemic and has shut down schools, hospitals, police stations, city governments, and US military facilities, its report points out.
"The professionalism of the affiliates, and focusing on their ability to attack organizations, is probably the biggest challenge," says Raj Samani, fellow and chief scientist at McAfee, of fighting ransomware. "This has supported the big-game hunting strategy and ultimately the ability to get into organizations and disrupt operations or steal data, [which] has given threat actors the ability to demand a lot more than ever before."
The framework outlines 48 actions government and industry leaders can take to disrupt the ransomware business model and mitigate the impact of attacks. While there have been many reports on the growing ransomware threat and widespread recommendations on how to fight it, many organizations struggle to adopt them. The idea behind this framework is to create a more comprehensive, all-hands-on-deck approach to dismantling the ransomware threat.
Some of the RTF's recommendations are listed as higher priority, though it advises viewing them together as a whole. At the top of its list is the suggestion for a coordinated, law enforcement effort to prioritize ransomware through a strategy that includes the use of "a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals," the RTF says in the framework.
"The first priority really does need to be this public pronouncement that ransomware is a serious national security threat, and that governments will work together with the private sector and other stakeholders in reducing its impact through a range of actions, including this idea of enhanced information sharing to support intelligence and enforcement," says Stifel.
There is room for improvement in how this is done, she adds.
"The ability for the government to ingest information around ransomware needs to improve, but also the ability for industry to share information around ransomware is in significant need of enhancement," Stifel says.
The RTF's second recommendation suggests the US launch an "intelligence-driven anti-ransomware campaign, coordinated by the White House." This must include an Interagency Working Group led by the National Security Council, an internal US government joint ransomware task force, and a private, industry-led informal Ransomware Threat Focus Hub.
Its third prioritized recommendation suggests governments create a cyber response and recovery fund to support ransomware response and other security efforts, mandate victims report ransom payments, and require them to consider alternatives before paying ransom.
Payments were a tricky subject to navigate in the creation of the framework, and Stifel notes the RTF couldn't come to a consensus on whether to prohibit payments. Participants agreed that while paying ransom is detrimental in many ways, there are challenges in barring payments altogether. Doing so "would really put victims in a very hard spot," Stifel adds.
The framework also suggests closer regulation of the cryptocurrency sector and states governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter trading to comply with existing laws, such as Know Your Customer, Anti-Money Laundering, and Combatting Financing of Terrorism.
Ransomware is a rapidly evolving threat, and criminals continue to hone their skills and tactics to successfully extort businesses. McAfee's Samani will elaborate more on this topic and how these changes have influenced the distribution of ransomware in an upcoming RSA Conference session entitled "Ransomware: New Recipe For An Old Dish."