A new task force consisting of technical experts, policy makers, officials from the FBI and United States Secret Service, and international law enforcement agencies has developed a broad set of recommendations to help address the ransomware epidemic, including technical and legal means for disrupting these operations and the payment infrastructure that underpins them. The task force plans to deliver its report to President Joe Biden as well as international leaders.
The Ransomware Task Force, which is sponsored by the Institute for Security and Technology, includes representatives from U.S. and U.K. law enforcement agencies, think tanks, policy and civil society organizations, and many technology companies. The task force said its key recommendations, outlined in an 81-page report released on Thursday, are merely the first step in battling the ransomware threat that has affected organizations globally - “the real challenge is in implementation,” according to the report.
“The ransomware threat continues to worsen daily,” according to the report. “The actions detailed in this report need to be enacted together as soon as possible, and must be coordinated at a national and international level in order to have the necessary impact.”
Core to the report is tightened cooperation between the task force and organizations at all levels - including stronger partnerships with international, private-sector and U.S. government agencies. The aim behind these partnerships is to work together in raising awareness of the ransomware threat, establishing a streamlined strategy for reducing attacks overall and cracking down on the “safe havens” where ransomware attackers operate without repercussions.
The report also outlines various technical recommendations to protect organizations at a high level against ransomware attacks. Part of this effort would include developing an internationally accepted framework laying out the most successful approaches for dealing with ransomware. Another piece would require “limited baseline security measures” for local government entities, which have been previously plagued by ransomware attacks, as seen in a coordinated, targeted ransomware attack against a slew of Texas cities in 2019. As part of these measures, local governments would be required to sign up for CISA’s infrastructure and web app scanning services, for instance.
In addition to proactive protections against ransomware, the report proposes making more resources available for organizations who fall victim to attacks. Part of this effort includes developing ransomware emergency response authorities, which would assist organizations with incident response support and forensic analysis. The report also suggests a Ransomware Response Fund to help support victims who refuse to make ransomware payments shoulder the financial costs of remediation and restoring IT functionality - which can reach millions of dollars depending on the attack.
“If such funding were available for ransomware victims, then cost would play a smaller role in an organization’s decision about whether to pay the ransom,” according to the report. “As an incentive to invest in cybersecurity, governments could consider requiring the organization to cover some portion of the ransom as a ‘deductible.’”
While security regulations and funding resources exist at the government level, the report proposes updating these so that they specifically prioritize ransomware attacks. For instance, regulations like the Health Insurance Portability and Accountability Act (HIPAA) may need to be updated, as they “set a baseline” for cybersecurity in specific sectors - but don’t directly help mitigate ransomware attacks, according to the report. Federal funding and grants - such as the Homeland Security Preparedness Grants, which focus on terrorism - should also be updated to encompass ransomware.
Along with the suggestions for technical solutions and awareness pushes, the report also includes a variety of potential ideas for disrupting the flow of money that makes ransomware perhaps the most profitable cybercrime enterprise going at the moment. Nearly all ransomware demands require payment in one form of cryptocurrency or another, typically Bitcoin or Ethereum. Cybercriminals favor crypto currencies for several reasons, but the most important one is the difficulty of tracking the funds and tying them to a specific person or entity. Cryptocurrencies also have the built-in advantage of being country-independent, removing the need to exchange currencies. And, since there is no central bank or clearinghouse, it’s even more challenging for law enforcement to find a place to focus its efforts for disrupting ransomware payments.
The RTF report proposes a number of separate measures to help address this problem, one of which involves the creation of legal incentives for victim organizations to not only report incidents, but also to disclose the details of payments if and when they’re made in order to help law enforcement follow the trail.
“Lawmakers should create incentives to share timely and actionable cryptocurrency payment indicators to enable law enforcement to prioritize leads and seize ransom payments when possible. This information may include wallet addresses, transaction hashes, and ransom notes. In exchange for this information, victims should be able to report anonymously, unless a victim is otherwise required to disclose the attack under privacy laws,” the report says.
“Updating breach disclosure laws to include a ransom payment disclosure requirement would help increase the understanding of the scope and scale of the crime."
Although ransomware incidents often end up becoming public, many organizations are reluctant to share details, including information about how much they paid to recover their data. The FBI and other law enforcement agencies historically have discouraged victims from paying ransoms, but that stance has softened somewhat in recent years as ransomware has evolved from a niche threat to a worldwide plague. That evolution has led to some companies offering specialized payment negotiation and delivery services, often as part of ransomware incident response engagements. The level of professionalism has grown on the attackers’ side too, as the ransomware problem has worsened and the money involved has grown exponentially. More organized and higher-level groups have gotten involved and so the payment process has become optimized to a certain extent.
With financial incentives on the attackers’ side to keep the pipeline clear and disincentives on the victims’ side to report any payments, changing this dynamic will not be easy.
"There is no reason to believe that ransomware actors will restrain themselves to protect innocent life. We have already seen groups hitting hospitals during a global pandemic and school districts, utilities and local governments are common targets. What comes next is unknown, but what could come next gets scary pretty quick," said James Shank, Chief Architect of Community Services and Senior Security Evangelist for Team Cymru, a threat intelligence firm that worked on the report.
In its report, the task force suggests that state and territorial breach disclosure laws be amended to include a provision that mandates disclosure of ransom payments before they’re made. The disclosures would go to an independent body called the Ransomware Incident Response Network (RIRN) that the task force recommends be set up in the U.S.
“Updating breach disclosure laws to include a ransom payment disclosure requirement would help increase the understanding of the scope and scale of the crime, allow for better estimates of the societal impact of these payments, and enable better targeting of disruption activities. Further, requiring ransomware victims to report details about the incident prior to paying the ransom would enable national governments to take actions such as issuing a freeze letter to cryptocurrency exchanges,” the report says.
“This mandate should require organizations to report directly to a non-regulatory government agency. In turn, a receiving agency should share the reported information with other appropriate, non-regulatory government agencies as rapidly as possible and, after appropriate anonymization, to the RIRN.”
Legislators have discussed the possibility of making ransomware payments illegal in recent years, though nothing has come of it. In its report, the task force did not take a definitive position on this idea, but said that any proposal to do so must consider all of the implications that kind of ban would carry.
“Were a government to take a hardline approach on non-payment, perhaps even offering to shore up victims in their jurisdiction in some manner, attackers will look for other potential targets before moving to new sources of revenue. This means they will focus on countries or sectors where governments have not implemented the same policy or are unable to provide a safety net for victims,” the report says.
“Even in jurisdictions that offer support for critical entities, organizations that do not qualify for this support may instead pay the ransom without disclosing the incident. This could then open them to further extortion.”