Published by The Lawfare Institute
in Cooperation With
Earlier this month, the White House hosted the second meeting of the International Counter Ransomware Initiative (CRI). One of many initiatives on cybersecurity advanced by the Biden administration, the CRI acts as a forum for partners and allies to “cooperate internationally across all elements of the ransomware threat.”
Addressing the various aspects of the ransomware threat has been a primary early goal of the Biden administration in cybersecurity. As my colleagues explained, “the U.S. government has begun to leverage a range of criminal, diplomatic, economic and military capabilities in order to combat the ongoing ransomware threat.” This whole-of-government approach attempts to thwart and disrupt cybercriminals and their infrastructure, prevent them from abusing financial systems, and impose costs on those jurisdictions that have become safe havens, while also leveraging public-private partnerships and diplomacy to improve information sharing, risk awareness, and resilience.
The theory behind this focus is that ransomware is relatively low-hanging cybersecurity fruit. Relatively few actors are responsible for a lot of the damage. Keeping software patched does wonders to prevent it. So the idea is that a series of cybersecurity “sprints” could make a big difference.
The government has certainly been active on the subject. The U.S. Department of Treasury sanctioned several virtual currency exchanges for facilitating transactions laundering the proceeds of ransomware schemes. The Conti and REvil groups shut down their operations. And when the CRI first met in October 2021, more than 30 countries committed to act together to mitigate the risk of ransomware.
Yet, in the war against ransomware, ransomware is at least holding its own. Ransomware-as-a-Service (RaaS) is growing in popularity, enabling more actors to easily target a broad range of sectors. Despite increased spending in cybersecurity, more companies report being victims of an incident, a trend that is expected to continue into next year. Newer ransomware strains are emerging. More incidents are being reported. And the average ransom paid is higher than ever before. Even more concerning, widespread adoption of double extortion schemes, in which the bad actor extracts the data before encrypting it and threatens to make it public, leads to more organizations deciding that paying the ransom might be in their best interest.
To begin the work of evaluating actual results against the undoubted commitments of the administration, I will endeavor to describe the areas of work mapped by the CRI and assess what we can expect from their efforts.
The Counter Ransomware Initiative: A Year In
In its statement from 2021, the CRI committed to a multipronged approach to tackling ransomware, by establishing working groups to address different aspects of the threat. The five groups were tasked to look into increasing resilience, disrupting malicious actors, tackling the financial mechanisms that are abused to launder ransomware payments, promoting public-private partnerships, and leveraging diplomacy. Each working group was led by different partners: Lithuania and India led the resilience group, Australia led the group on disruption, the U.K. and Singapore took the lead on tackling financial mechanisms, Spain ran point on public-private partnerships, and Germany ran the group on leveraging diplomacy.
After a year of working in their respective groups, the CRI met in person to discuss their accomplishments and put forth a program of action for the next year. In a departure from the previous meeting, 13 private companies were invited to attend this meeting, “represent[ing] a diverse range of size, regional reach, and focus.” Those companies were CrowdStrike, Mandiant, Cyber Threat Alliance, Microsoft, Cybersecurity Coalition, Palo Alto, Flexxon, SAP, Institute for Security and Technology, Siemens, Internet 2.0, Tata – TCS, and Telefonica.
The inclusion of private-sector actors tracks with the administration’s focus on improving public-private partnerships to increase cybersecurity. Given that many of the action points in the statement will hinge on collaborating with private actors, it is a positive development that they were invited to speak to the CRI.
What started in 2021 as an identification of common challenges and lines of action that the multilateral group would tackle has now developed into a more concrete list of deliverables. The highlights from this year’s CRI include:
- Creating the International Counter Ransomware Task Force (ICRTF), led by Australia.
- Leveraging the regional cyber defense center in Lithuania as a “scaled version of the ICRTF” that can test the information sharing commitments.
- Promoting a range of capacity-building activities, which include publishing a toolkit for responding to ransomware, attempting to develop “aligned frameworks and guidelines” for prevention and response, and holding counter-ransomware exercises and counter-illicit finance ransomware workshops.
- Advancing information sharing between the CRI members and with the private sector, about ransomware tools and procedures, the systems used for laundering ransomed funds, and the implementation of anti-money laundering and countering the financing of terrorism standards.
- Strengthening diplomatic engagement and addressing the ransomware threat across forums.
The action plan outlined in the 2022 joint statement reflects the importance of information sharing and capacity building, with a focus on disrupting the infrastructure that cybercriminals leverage to launder the proceeds of their schemes.
An Evolving Threat
All of these actions sound salutary and worthy. The trouble is that, while the CRI has been organizing committees and working groups, the ransomware bad actors have continued developing tools and techniques to target victims. The CRI and other related initiatives face a tough challenge. Despite some successes, increased awareness of the threat, increased spending on cybersecurity, and new partnerships, the ransomware forecast continues to look ominous.
Cybercriminals, it just so happens, are particularly adept at adjusting to new cybersecurity measures. After Microsoft decided to disable macros by default (one of the most successful ways in which malware is delivered to its victims), cybercriminals quickly began shifting to dropping malware through new methods like LNK files, according to a recent report by cybersecurity company Deep Instinct.
Fortinet’s threat intelligence group attributes an increase in ransomware variants to the popularity of RaaS offerings. An example of the professionalization of cybercrime, RaaS allows an operator to rent the ransomware to “affiliates” or “partners,” who then deploy it. In exchange for a cut of the ransom, more actors—regardless of their sophistication—can go after their victims.
The resilience isn’t just technical. While several high-profile groups have been disrupted in the recent past—like the REvil or Conti groups—they have a tendency to resurface shortly after in new forms. Disbanding and reappearing under “clean” identities is not uncommon, which adds a layer of complexity to the goal of disrupting operations. Without an updated international framework or the cooperation of those countries in which the criminals find shelter, the disruption of these groups more closely resembles a game of whack-a-mole than a takedown.
Ransomware gangs also have been successful at finding other ways to incentivize their victims to pay the ransom. Double and triple extortion are part of the new trends that cybersecurity researchers have been warning about for years.
Double extortion is now a well-established methodology. Here’s how it works: Before encrypting the files, the criminals extract the documents. If the victim refuses to pay the ransom, the cybercriminals can threaten to make that data public. The Australian health insurer Medibank is, for example, currently risking the disclosure of compromised data for approximately 9.7 million of its customers in a standoff with criminal group BlogXX (which may or may not be the former REvil group). In the past, data leaked in this fashion included sensitive personnel information, Ferrari repair manuals, and students’ psychological assessments.
The efficacy of this scheme in securing a payment is such that “82 percent of the ransomware actors in the last year have begun moving to data extortion as well, and we’ve even seen some of them are dropping the ransomware,” as Adam Meyers, senior vice president of intelligence at cybersecurity firm CrowdStrike, warns.
Some cybercriminals take the extortion a step further by turning their demands to those who would be affected by the disclosure. This is called triple extortion. Here, the sensitive nature of the data extracted is leveraged to extort those who would be personally impacted by the disclosure.
According to Meyers, the newer levels of extortion allow cybercriminals to regain control over the negotiations and change the calculus surrounding ransom payments. In his words, “the calculus of pay or not pay is heavily factored in on when data gets leaked, what are the regulatory compliance and legal impact, so that that can be astronomical compared to the ransom demand.”
The U.S. and Europe still account for the most targeted geographies. By some accounts, however, reported ransomware incidents are decreasing there while increasing in Latin America. And incidents in Africa and the ASEAN (Association of Southeast Asian Nations) region are on the rise, according to the 2021 Interpol Cyberthreat Assessment reports. Given that most of the CRI members are European (only three African, four Asian, three Latin American, and two Middle Eastern countries were part of the meeting), shifts in the distribution of ransomware incidents will test how international the CRI can be.
While the goal of the CRI might not be to replicate a U.N. General Assembly, the lack of representation might harm its goals. Reduced visibility into the ransomware trends in other regions could hinder the objective to achieve improved awareness for the overall threat environment. Strong capacity-building efforts and coordination with those countries that struggle most with technical and policy cyber capabilities could help stop them from becoming the focus of attention for cybercriminals looking for easy targets.
Another goal of the CRI is to raise the diplomatic cost for countries that allow their territories to become safe havens for criminals. This becomes even more crucial considering that nation-states can sometimes be the ones behind the ransomware attacks, leveraging the breach to accomplish their political goals. The good news is that the diplomatic community has been active on the cyber front: Governments now have an array of tools at their disposal to react to cybersecurity incidents. It remains to be seen, however, whether substantive change can be achieved when the countries that are considered safe havens (Russia, China, and Iran, most notably) do not participate in the CRI. Given today’s geopolitical context, this is to be expected. But the CRI might need to grapple with this challenge directly: What is the goal of diplomacy in this context?
Ransomware is, ultimately, an attractive venture for criminals. And as long as it remains so, new tactics, techniques, procedures, and variants will continue to surface. The Biden administration has been clear that the focus should not be just in responding to cybersecurity threats as they appear, but in building defenses and resilience. Which is why it is surprising to see a U.S.-led initiative focus so much on responding to the threat, rather than preventing it. Information sharing and lessons learned will be useful, but they do not nip ransomware in the bud.
One frustrating takeaway from the CRI is that it may have had more success in erecting bureaucratic responses to ransomware than in actually countering ransomware. This may reflect the expected challenges of agreeing on anything with over 30 partners. It would be easy to be dismissive of the effort, given the data. As it enters into its second year, the CRI’s most concrete deliverable seems to be the future establishment of a task force.
Ransomware is alive and well. And as cybercriminals continue to adapt, change their methods, and go after new targets that are more likely to pay, the need to remain aware of new variants and trends is of the utmost importance. The CRI is trying to shape itself into a response mechanism, hopefully disrupting some of the bad actors. It’s possible that it is suited to the task. If, at the very least, the CRI proves to be a solid platform for capacity building, that will have a positive effect on the overall environment. This sounds less ambitious than swift transnational disruption of criminal networks, but it is a foundation over which change can happen.