December 6, 2022 By Mike Elgan 4 min read

Ransomware is a growing, international threat. It’s also an insidious one.

The state of the art in ransomware is simple but effective. Well-organized criminal gangs hiding in safe-haven countries breach an organization, find, steal and encrypt important files. Then they present victims with the double incentive that, should they refuse to pay, their encrypted files will be both deleted and made public.

In addition to hundreds of major attacks around the world, two critical ransomware incidents — the Colonial Pipeline attack and the attack on US meatpacking company, JBS — proved that this threat could no longer be ignored. In fact, American financial institutions lost $1.2 billion in costs associated with ransomware attacks in 2021, according to data reported by banks to the U.S. Treasury Department.

Incidents are on the rise, ransoms are on the rise, and the world has finally had enough. And so last year, the White House launched an initiative to attack the problem.

The first summit

The White House held two international ransomware summits in the past two years, the first took place in 2021 and included 30 nations, plus the E.U.

Participants in the first international Counter Ransomware Initiative (CRI) summit promised to share ransomware intelligence, prosecute ransomware crimes, disrupt ransomware funds transfers and work together on eliminating safe havens for ransomware gangs through diplomacy.

The initiatives were carried out by five working groups: resilience (led by Lithuania and India), disruption (led by Australia), counter illicit finance (led by the U.K. and Singapore), public-private partnership (led by Spain) and diplomacy (led by Germany). These working groups shared information and expertise in order to prepare for future ransomware attacks.

Although the first summit was a success, the most recent summit got far more ambitious.

The second summit

The second international CRI summit took place from October 31 to November 1, 2022. This time, a total of 36 countries participated in addition to the EU.

The participants had not been idle during the interim. The White House claimed that since the initial summit, the CRI “worked to increase the resilience of all CRI partners, disrupt cyber criminals, counter illicit finance, build private sector partnerships and cooperate globally to address this challenge.”

At the second summit, the White House decided to bring in an international representative group of security and technology-focused companies, including Crowdstrike, Mandiant, Cyber Threat Alliance, Microsoft, Cybersecurity Coalition, Palo Alto Networks, Flexxon, SAP, Institute for Security + Technology, Siemens, Internet 2.0, Tata – TCS and Telefonica.

Participants created an International Counter Ransomware Task Force (ICRTF), led by Australia. They also opted to establish a fusion cell at the Regional Cyber Defense Centre (RCDC) in Kaunas, led by Lithuania, as a kind of testing sandbox to experiment with a scaled version of the ICRTF.

They further planned to distribute what they call an investigator’s toolkit — basically, documented best practices for disrupting and shutting down cyber criminals — as a manual for “tactics, techniques, and procedures”.

The group plans to bring in the private sector with information sharing and coordinated action against ransomware gangs. They will also publish advisories, coordinate priority targets through a single framework and conduct biannual counter-ransomware exercises.

Interestingly, the group intends to take action to prevent ransomware perpetrators from the use and laundering of cryptocurrencies. This project involves sharing information about crypto wallets globally, sharing best practices about blockchain tracing and pushing identity authentication for crypto transactions.

The key takeaways

The number-one issue at the second summit was the borderless nature of ransomware. That alone is why international cooperation is so necessary. In fact, that’s one of the interesting elements of ransomware as a phenomenon. Ransomware gangs find safe havens in rogue nations and operate with impunity. There, they are able to run their operations like legitimate businesses, publishing blogs and offering “tech support”.

A second point underscored is that ransomware isn’t just a financial threat. It also threatens national security and the proper functioning of societies. Ransomware attacks on targets involving large businesses, crucial infrastructure or the military could affect national security. They even have the capacity to trigger a hot war.

And, finally, the group emphasized the need to develop an international legal framework for prosecuting criminals.

In a nutshell, the summit’s approach is to attack all vectors of ransomware — knowledge, resources, money, security architecture, international and domestic law, diplomacy and more.

How does this impact businesses?

The Public-Private Partnership (P3) Working Group, chaired by Spain, is working on a tool for public-private partnerships to address ransomware. The tool will feature case studies that show paths to successful efforts to combat ransomware.

This tool will no doubt prove to be a huge boon for organizations at risk of ransomware attacks. When combined with thought leadership, best practices and actual legal action, the benefits will only increase.

More than tools and resources, the greatest boon is to make it harder for criminal gangs to operate. A safer cyber world requires increased prosecutions and a reduction in safe havens from which to commit ransomware crimes.

For businesses and organizations that are potentially vulnerable to ransomware attacks, the work of the CRI is very welcome. While security best practices can help protect individual organizations, they continue to need support from global partnerships. As long as the ransomware gangs can operate from rogue nations and benefit from money laundering opportunities present in cryptocurrency systems, the international community will need to face this threat together.

The CRI is sharing knowledge, channels for cooperation, legal frameworks and more to protect the world against the scourge of ransomware.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today