Ransomware continues to be a high-profile threat, showing no signs of waning without coordinated action.
Last month, the newly formed US-based Ransomware Task Force (RTF) published a laudible paper laying out a comprehensive and detailed set of recommendations to address four policy goals:
- Deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy.
- Disrupt the ransomware business model and decrease criminal profits.
- Help organisations prepare for ransomware attacks.
- Respond to ransomware attacks more effectively.
Words, then action
Many of the recommendations in the paper will contribute in a positive way to tackling the ever-growing issue of ransomware, if implemented widely and effectively. The report is well-reasoned and offers novel and inclusive solutions to the problem which encourage international, industry and government cooperation. However, the proof will be in the level of impact it can garner, not just in the US, but around the world. Ransomware is a global issue and while the US authorities are at the forefront of enforcement, much of the solution lies with other nations, many of whom will not see ransomware as the critical economic and social issue that the US perceives.
The report sets out a series of policy recommendations and we have picked out some of the key points which resonate with our analysis of the ransomware problem.
International deterrence at a national security level
The report calls for international response to the threat of ransomware, relying on “all the instruments of national power”. This includes joint international declarations, calls for coordinated international task forces and global investigation hubs, “sustained and aggressive” international campaigns, the exertion of pressure on countries which act as “safe havens” for cybercriminals, and supporting resource-constrained countries in cooperating on the threat.
Within this set of recommendations, the paper advocates elevating the priority of ransomware operators and associated criminal organisations and networks as targets for the entire US intelligence community (IC), partly by designating these entities as national security threats. The paper recommends the development of a formal intelligence community assessment (ICA) based on input from the US IC and international partners to identify organisations, networks and individuals involved in this activity, as well as develop an understanding of the infrastructure, technologies, and tactics on which they rely. This ICA would establish a baseline understanding of the ransomware threat from which priority targets can be identified and action taken to counter them.
This is a critical component of both the deterrence and disruption elements of the policy framework presented by the RTF; the entities which conduct and support ransomware operations are both clandestine and sub-national, meaning that there are likely to be significant intelligence gaps around their identities, dispositions, priorities, strengths, and weaknesses. Effective deterrence and disruption require a detailed, specific understanding of these elements to enable targeted action to be taken. National intelligence services have significant capabilities above those available to law enforcement to develop this type of intelligence and making entities associated with ransomware operations a collection priority for partner intelligence services is likely to help significantly with addressing these intelligence requirements.
The role of insurers in disruption
In the UK, insurance companies have recently been faced with accusations that they are contributing the problem of ransomware by helping businesses pay ransoms, a claim that has been rejected by the industry body. The UK Association of British Insurers (ABI) warned that insurance was not an alternative to robust security, but without it, many victims would face severe financial impacts. This approach to enforcement, singling out the insurance industry, is unlikely to succeed in positive change when the problem of ransomware is a collective issue shared by multiple stakeholders.
In contrast, among the more novel recommendations in the RTF report was the inclusion of insurers and reinsurers in tackling the growing problem in a positive way, calling for greater collaboration among the industry to be part of the solution, rather than part of the problem. This approach is likely to see insurers respond in a more positive way and should be welcomed by the industry and the wider community tackling the problem.
The report suggests improving civil recovery and asset forfeiture from insurer “subrogation”. Civil recovery through investigation and the launching of legal orders against cryptocurrency institutions can be prohibitively expensive for some individual victims. One recommendation suggests insurers and reinsurers should create a common “war chest” to pursue recovery strategies. This approach would allow insurers to properly resource and prioritise cases, share strategies for recovery and spread the risk of unsuccessful attempts, while pooling the initial costs.
In a similar theme, the report calls upon insurers to share tactics for recovery, as well as intelligence for investigations. The aim of this collaboration is to improve risk management and resolution strategies so that attacks are less profitable and damaging. It also aims to help insurers establish certainty as to the legality of making payments as the attribution of ransomware groups to sanctioned entities is a problem for those wishing to pay.
Internationally- recognised standards for helping prepare against ransomware
A robust framework for countering ransomware would be a welcome step in the right direction for countering the problem. Currently, guidance on the steps necessary for defending against the threat come from a multitude of frameworks and bodies, many of which offer general guidance around information security and cybersecurity. The report suggests that this should be built on and consolidated by the US National Institute of Standards and Technology (NIST) into one, internationally-recognised ransomware-specific framework that “lays out clear, actionable steps to defend against, and recover from, ransomware”. NIST has led the development of a similar cybersecurity framework for critical national infrastructure which has been widely adopted internationally by businesses.
An internationally-recognised framework to help businesses prepare for ransomware attacks will only serve to improve the status quo if well-developed and well-adopted by businesses and the cybersecurity industry. Although guidance may currently be fragmented, much of the general guidance available from NIST and other bodies such as the National Cyber Security Centre (NCSC) in the UK do address the problems of ransomware, and care should be taken not to add further complexity to an already complex standards environment.
Improving responses to ransomware including guidance on the legality of payment
Among the recommendations to improve responses for victims of ransomware was creating financial and technical support mechanisms, as well as efforts to standardise and streamline incident reporting. Perhaps the strongest recommendation in this area was the call to make guidance around the payment of ransoms clearer. The report specifically referred to guidance issued by the US Office of Foreign Assets Control (OFAC) in October 2020, which it indicated had caused issues for victims who were unable to confidently identify payment recipients to judge if they were sanctioned entities or not. The report referenced slow responses from OFAC in providing this guidance when asked, particularly in light of the time pressure exerted by ransomware groups. The report calls for clarity over what constitutes adequate due diligence in this regard, something that would help allay fears that businesses could face heavy penalties from violating sanctions.
While efforts to clear up the currently opaque sanctions guidance will no doubt be welcome, the task of offering clear advice in this regard may be harder than it first appears. Attribution in cyberspace remains a controversial and difficult subject, inherently influenced by geopolitical issues which further confuses the picture. It remains to be seen how sanctions bodies will approach this recommendation to offer better guidance for victims.
Our recent blog suggested we are in a “golden age” of cybercrime, largely due to the extortion activity of ransomware groups. This new report offers a glimmer of hope for victims and citizens who are increasingly at risk from the activity. If the international community stands up and takes notice of these recommendations, the impacts on ransomware gangs will no doubt be felt.
MDR Cyber produce regular research and reporting such as our ‘State of Cybercrime 2020’ report which took a look back at the developing landscape and a long look forward. Having supported and advised many client organisations of varying size and complexity during their ransomware incidents, we have extensive hands-on experience with these threats and are able to provide insight on addressing both the technical and legal issues and the best course of action available to you. Contact us at MDRCyber@Mishcon.com.