The Fourth CRI Summit provided new guidance, emphasizing informed decision-making and the international collaboration needed to disrupt ransomware.
As Cybersecurity Awareness Month begins, the issue of ransomware steps into the international spotlight again. On October 2, 2024 the UK Government released guidance from the Counter Ransomware Initiative (CRI) for organizations dealing with ransomware incidents. The CRI is an international effort backed by 68 countries all across the globe, all with the goal of stopping ransomware actors and building resilience so that any ransomware event has limited effectiveness.
The new guidance came during the CRI’s Fourth Summit, which ran from September 30 to October 3, 2024 and was held in Washington, DC. Straying a bit from the message from the last summit’s joint statement which centered on discouraging ransomware payments, this year’s guidance acknowledges that organizations may make ransom payments and offers important advice about what to do in the event of an attack. There are 11 steps they recommend, each emphasizing the need to properly examine your choices:
- Consider the correct legal and regulatory environment around payment
- Reporting the incident to the authorities
- Evaluate all options
- Where possible, consult experts
- Review alternatives to paying ransom
- Gather relevant information to assess the impact and legal obligations
- Assess the impact of the incident
- Record your decision-making
- Involve the necessary stakeholders across the organization in decisions, including technical staff and senior decision makers
- Be aware that payment does not guarantee access to your devices or data
- Post incident evaluation: Investigate the root cause of the incident and make the necessary preparations to avoid a repeat attack
This seemingly common-sense counsel cannot be overstated. Ransomware does not seem to be slowing down, and the tactics of these threat actors are becoming more aggressive. Outside of shoring up defenses to prevent a ransomware attack, the only thing that seems to tamper the scale of ransomware groups is the continuous efforts of law enforcement agencies to disrupt them, even if they are eventually replaced by smaller ransomware groups.
Just days before the fourth Counter Ransomware Initiative summit, Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, commented on what can be done to curb the worsening cyber threat. “What we’ve observed is that there is no one operation that’s going to disrupt ransomware permanently. Instead, we have to increase the frequency and increase the breadth of these operations, by taking down infrastructure regularly, designating the exchanges that are facilitating money laundering and ransomware activity regularly.”
Disruption has been the main approach for fighting ransomware in the US, with the FBI and DoJ disrupting LockBit, Volt Typhoon, 911 S5, and more only this year, typically with international help. The DoJ’s Criminal Division shared their Strategic Approach to Countering Cybercrime during the summit, which also highlights their “focus on using all tools to disrupt criminal activity”. While these operations cannot eliminate the ransomware gangs completely, they continue to be worthwhile; arrests are still being made globally, as Japan’s National Police Agency was recently able to arrest a suspected LockBit ransomware developer.
The first two of the four days in the CRI summit were set on disruption operations, with countries in the CRI Policy Pillar (led by the UK and Singapore) reportedly sharing their plans “to build resilience against ransomware attacks and leverage the ecosystem to disrupt the ransomware criminal industry.” This included commending the guidance the UK government shared, the Financial Action Task Force’s (FATF) Recommendation 15 which regulates virtual assets, hopefully stifling illicit transactions in the ransomware industry.
While disruption efforts have shown promise in combating ransomware, a multifaceted approach and international collaboration will be key to stopping ransomware. The CRI summit offers a window into the evolving effort to understand the reasons victims of ransomware continue to pay threat actors, and to leverage a variety of law enforcement capabilities to make life more difficult for attackers.