Ransomware has reached crisis levels across business sectors and across the globe, but a public-private Ransomware Task Force aims to stem the tide of attacks by disrupting the crooks’ business model.
The Institute for Security and Technology (IST) put together the coalition, which includes more than 60 members from software companies, government agencies, cybersecurity vendors, financial services companies, nonprofits and academic institutions. Big names associated with the project include the U.S. Department of Justice, Europol and the U.K.’s National Cybersecurity Centre (NCSC); along with Amazon, Cisco, FireEye and Microsoft, et al.
The group issued an ambitious framework for addressing the threat this week, in the form of a tome that clocks in at a whopping 81 pages. It was delivered to the Biden Administration and is chock-full of ambitious “to-dos,” such as setting up a reporting framework, managing the ransom negotiation-and-payment process, seizing gangs’ crypto-wallets and infrastructure, and going after cryptocurrency exchanges that fail to implement anti-money laundering measures.
In all, it details what RTF considers to be “a full, comprehensive strategy to stem the ransomware tide – ranging from dealing with the complexities of the ransomware epidemic, to the role of cyber-insurance, cryptocurrency and safe havens for threat actors,” according to Team Cymru, one of the cybersecurity firms signed onto the project.
Ransomware on the Move as Cases Spike
The effort comes as ransomware has become one of the most frequent and disruptive types of cyberattack. For instance, the NCSC found in its 2020 Annual Review that it handled more than three times as many incidents than the previous year.
Mimecast’s 2021 “The State of Email Security Report” found that 61 percent of respondents in a survey indicated they had been impacted by ransomware in 2020, which is a 20 percent increase year-over-year. Companies impacted by ransomware lost an average of six working days to system downtime, with 37 percent saying downtime lasted one week or more.
And, as detailed in Threatpost’s recent eBook on the subject, attackers are increasingly evolving, adding new tactics, gaining in sophistication, stealing sensitive data, and building a thriving underground economy that involves multiple stakeholders and types of partners (initial access brokers and affiliates, for example). They’re also demanding ever-larger ransoms.
These gangs also have few (if any) scruples. “During the COVID-19 pandemic, attackers took advantage of the crisis in their selection of targets, which included hospitals in the U.S. and Europe,” the NCSC pointed out, in a blog posting. “Here in the U.K., we saw a spike in ransomware attacks affecting the education sector at a time when institutions were working hard to manage online learning, admissions and testing procedures.”
Disrupting the Ransomware Economy
The most notable aspect of the Framework for many is that it targets the entire criminal ecosystem around ransomware. For instance, part of the plan is to prosecute and disrupt the Dark Web marketplaces where ransomware gangs flog their wares (generally in a ransomware-as-a-service model) and find partners. The plan also calls for disabling hosting services that facilitate ransomware campaigns. And another aspect of the plan is centralizing expertise when it comes to putting the squeeze on cryptocurrency markets and cryptocurrency seizure.
Perhaps most interestingly, the Framework would also require companies to disclose their ransomware incidents as well as their ransom-payment plans to the U.S. Treasury Department.
Even though the Treasury Department last year expanded its sanctions list to include various ransomware gangs and operators (meaning that any ransom payments by victims to them could result in big fines), the Framework changes that tune.
“Ransomware attackers require little risk or effort to launch attacks, so a prohibition on ransom payments would not necessarily lead them to move into other areas,” according to the report. “Rather, they would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities. To apply additional pressure, they would target organizations considered more essential to society, such as healthcare providers, local governments and other custodians of critical infrastructure.”
So instead, “Updating breach disclosure laws to include a ransom-payment disclosure requirement would help increase the understanding of the scope and scale of the crime, allow for better estimates of the societal impact of these payments, and enable better targeting of disruption activities.”
The Framework would require ransomware victims to report details about the incident prior to paying the ransom. That strategy “would enable national governments to take actions such as issuing a freeze letter to cryptocurrency exchanges,” according to the report.
As a corollary to this, the Framework would also have cyber-insurance companies establish a common pool of money “to evaluate and pursue strategies aimed at restitution, recovery or civil asset seizures, on behalf of victims and in conjunction with law-enforcement efforts.”
The disruption of the business model for ransomware operators is key to success – and failing to do so could have terrible consequences. Researcher Kevin Beaumont for instance took to Twitter to warn that, left undisrupted, ransomware gangs have the potential to be richer than nation-state -backed cyber-teams, with the ability to purchase zero days at will.
https://twitter.com/GossiTheDog/status/1387754254748823554
In its survey, Mimecast found that more than half (52 percent) of ransomware victims paid threat-actor ransom demands, but only two-thirds (66 percent) of those were able to recover their data. The remaining one-third (34 percent) never saw their data again, despite paying the ransom.
What Else is in the Ransomware Task Force Framework?
While some of the plans detailed in the Framework are no-brainers (such as voluntary information-sharing and exerting pressure on safe-haven states like Russia, where cybercriminals are rarely prosecuted), other aspects are more novel.
For instance, the Framework also calls for establishing a ransomware incident response network with a standard format for reporting ransomware incidents. And, it would establish for a federal cyber-response and recovery fund that would be earmarked for helping state and local governments and critical infrastructure remediate ransomware incidents.
“The idea to create a Ransomware Response Fund to support victims in refusing to make ransomware payments is astonishing at first sight,” Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. “By instinct one would ask why, as the victim wasn’t able to secure their systems and network properly so they got caught. But that would reject the notion that there is no such thing as 100-percent security.”
Other pieces in the Framework include incentivizing better security postures through tax breaks, and a large-scale public awareness campaign on cybersecurity hygiene.
“The Task Force will help the Department of Justice take a coordinated and focused approach to what has become a widespread scourge of ransomware and other cyber-extortion,” Alex Iftimie, attorney at Morrison & Foerster, told Threatpost. “I expect we’ll see more extortionists in handcuffs, additional disruption operations focused on hackers’ infrastructure and malware, and additional diplomatic pressure on jurisdictions that harbor or turn a blind eye to the activity under their noses. I also expect we’ll see efforts to encourage victims to come forward – practitioners and the security community will be watching closely to see what assurances will be given to victims that come forward.”
Implementation Challenges for the Ransomware Framework
Of course, “the real challenge is in implementation,” according to the report and Task Force members. When it comes to being successful, the best approach will be to avoid implementing the plan in pieces, said James Shank, chief architect of community services and senior security evangelist for Team Cymru.
“To put it simply, adopt the totality of the recommendations,” he told Threatpost. “Several recommendations are coupled together in ways that doing one thing, or a few things, may not result in a change in the dynamics. Let’s give this new approach a try.”
He added, “These recommendations create a framework that, in totality, we believe can impact the global situation. Time will tell whether they are adopted as a complete framework and what the impact to ransomware will be in time. This approach is fundamentally different and engages multiple layers of public and private sector entities, and we are hopeful this comprehensive action will create a paradigm shift.”
However this is of course easier said than done. In digging through the massive RTF document, a few difficult aspects of the Framework stood out to researchers.
“This is challenging because it requires cooperation across multiple companies in the private sector (many of which compete with each other), as well as various governments, to come together to solve,” Douglas Murray, CEO at Valtix, told Threatpost. “While incredibly complex, we have to get this right and in real-time as newer ransomware is detected around the globe. We need to protect our infrastructure, while upsetting the bad actors business model. This threat feed can be ingested by security services to allow government and enterprises to appropriately respond to these attacks. Urgency here is critical.”
Some in the community pointed out that the coalition must also address privacy concerns given that the plans on the table could enable the assembly of vast data lakes of sensitive information:
https://twitter.com/TommyTenacious/status/1387760184341188613
Schrader meanwhile said that convincing lawmakers across the globe to actually join the coalition will be a challenge.
“It will be interesting to see whether they can get a large number of nations to join that coalition [and] to work out or improve their own country’s legal frameworks,” he told Threatpost. “So that ransomware gangs can effectively be prosecuted, or at least the market structure is changed so much that they get frustrated and leave that business. That is by all means not a sprint.”
Other obstacles could also loom, he added: “There is also a good chance that cryptocurrency players will label this initiative as a bait to get regulations for their markets in place.”
Ransomware Worst-Case Scenarios
Team Cymru noted in a blog post on Wednesday that regardless of the challenges, the issue must be addressed. While ransomware has cost companies billions, and disrupted hospital and education efforts in the middle of a pandemic, there are yet worst-case scenarios that the RTF is planning for.
“Worst-case scenarios tend to encompass threats to life, threats to national security and threats to critical utilities, including critical supply chains,” said Shank. “We’ve seen ransomware actors escalating their targets to large enterprises and demanding $50 million in ransom. These are big numbers that impact large enterprises, but so far, we haven’t seen an escalation to the most critical targets. There is no reason to believe that ransomware actors will restrain themselves to protect innocent life…what comes next is unknown, but what could come next gets scary pretty quick.”
Philip Reiner, the CEO of IST and the executive director of the RTF, echoed that ominous warning.
“The cost of ransom paid by organizations has nearly doubled in the past year, and is creating new risks, many that go far beyond monetary damage,” he said in a media statement. “In the past 12 months alone, we’ve seen ransomware attacks delay lifesaving medical treatment, destabilize critical infrastructure and threaten our national security. We felt an urgent need [for the RTF].”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!