The US Counter Ransomware Initiative

11072880466?profile=RESIZE_400xThe US government and several other countries have been grappling with a key question over the last year: Should ransomware payments be banned, with select waivers available for special situations?

Speaking at a Ransomware Task Force event on Friday, White House Deputy National Security Adviser Anne Neuberger said ransomware payment bans have been a topic of discussion among members of the Counter Ransomware Initiative, which she said has evolved rapidly since it was created in 2021.

According to Neuberger, there were more than 6,500 ransomware attacks across the globe between 2020 and 2022, prompting difficult discussions about ways to disrupt the ecosystem.[1]  “Fundamentally, money drives ransomware.  For an individual entity, it may be that they make a decision to pay.  But for the larger problem of ransomware, that is the wrong decision.  There may be an individual entity – a major hospital or emergency services – that we just are committed to bringing those services back up as quickly as possible,” Neuberger said.  “So when we think about banning ransom payments, we would do so with a waiver, notifying or asking the permission of the US government.  It's a difficult question.  It's one we've grappled with.”

Neuberger explained that despite all of the work that has been done over the last two years, from takedowns to arrests and more, critical organizations are still being attacked.  She referenced the ransomware attack on the government of Dallas and its effect on the city’s police department as an example of the kind of attacks that frustrate officials in the US and abroad.  “[The Dallas Police Department] is an important entity for critical services in this country. We have to ask ourselves, would that be helpful more broadly if companies and others didn't make payment? That's a question that… is certainly a very hard one,” she said.  She noted that several other countries involved in the Counter Ransomware Initiative have also raised the issue, but no decisions have been made.

Several US states have banned local government entities from paying ransoms connected to attacks, but the bans so far have done little to stop gangs from targeting them.  Cybersecurity experts, and even the FBI, have repeatedly come out against the idea of banning payments, noting that it would only further harm victims.

Even if ransomware payments were banned, many companies would simply find a way around it and still pay, opting to deal with the legal fallout instead of allowing their businesses to languish for days.  “I understand the idea behind this, but I don’t think it is the right answer.  It may wind up reducing ransomware attacks in the longer term, but there will be a lot of pain in the short term, and by short term I mean years,” The Record said.  “For example, North Carolina banned ransom payments in the public sector last year and it has not slowed down ransomware attacks in that state at all.  Ransomware actors don’t care about our laws.  Not to mention the fact that reporting is already hard enough, imagine trying to find out how to get a waiver.”  Neuberger spoke at length about how the Counter Ransomware Initiative has evolved significantly since its creation.

As of October 2022, 36 countries plus the European Union were involved in the effort. Since then, Jordan, Costa Rica, and Colombia have joined, highlighting the fact that ransomware has become an issue in almost every region of the world.  Neuberger noted that one of the best parts of the Counter Ransomware Initiative are the opportunities for collaboration that it offers.  “When we talk about potentially countering Chinese malicious cyber activity, there are some countries who will say ‘we don't want to do that publicly and together.’  When we talk about countering Russian nation-state activity, there are some countries who may have concerns about doing so,” she said. 

Neuberger referenced a recent attack against Dallas as an example where critical services were brought down.  “But when we talk about countering cybercrime, we can build the kind of international cyber coalition to take on and drive that operationalization of working disruption together, ensuring that crypto entities or banks put in place know your customer entities.  We can truly build that unified international global cyber coalition which we all know is foundational to making cyberspace secure and safe for the world.”

Resiliency and takedowns - The first Counter Ransomware Initiative summit was focused on a shared understanding of the ransomware threat picture and figuring out ways to better collaborate, Neuberger explained.  US officials shared intelligence on ransomware attacks and the modus operandi for many gangs.

The Counter Ransomware Initiative now has several pillars of activity that are co-led by countries, typically one small country and another large one that can help each other build capacity.

Australia and other countries are focused on disruption efforts. Patrick Hallinan, Minister Counsellor of Home Affairs at the Australian Embassy, also appeared at the conference and said the country was leading the effort to provide frameworks for how ransomware groups can be targeted.

At a meeting in November, agencies launched the International Counter Ransomware Task Force led by Australia, which seeks to build on the work done by the US Department of Justice to disrupt ransomware operations worldwide.   The effort now includes Interpol, which asked to join, and one of their first actions was the takedown of the Hive ransomware group in January.  But major disruptions, Hallinan said, could be “better facilitated.” Australia is working with other countries to engage more with the private sector, which “more often than not are the first people to spot” attacks and are “generally best placed to remediate.”

Neuberger referenced this idea, lauding Microsoft for its actions against unlicensed copies of security tool Cobalt Strike that are used by many hackers in advance of ransomware attacks.  But she said the task force continues to mull questions around the effectiveness of law enforcement-led takedowns, naming recent operations around the cyberfraud platform Genesis Market.  “The group has questioned how long the disruptive impact of those operations lasts.  How do agencies extend how long it lasts?  How do they ensure the disruptions have foundational impact on the infrastructure, people and money laundering networks that make this possible and drive it?” she asked.

11072880483?profile=RESIZE_584xGenesis-market-takedown

Several disruptions of mixing services and crypto exchanges have helped, but the group is still trying to figure out how to stop ransom payments from being made in crypto.

Other pillars of collaboration - Several other countries are working together on key pillars that will help the world’s governments address ransomware.  The United Arab Emirates and Israel have partnered on an information sharing initiative.  Nigeria and Germany co-lead the diplomacy panel, working to bring more countries into the fold, while Singapore and the United Kingdom address the illicit use of cryptocurrency networks for ransomware.

Neuberger said Nigeria has been key in bringing together the global south in addressing cybercrime, which has exploded across the African continent in recent years and is causing massive issues for governments that lack the capacity and resources to deal with the issue.  India and Lithuania, according to Neuberger, are working together on creating resilience plans that countries can use.  “Now, in this third year, we're focused on first expanding the tent, doing exercises.  India and Lithuania each conducted an exercise in their region, recognizing the differences in time zones, so that countries can learn from each other,” she explained. 

“How do you detect an attack? How do you rapidly respond? How do you communicate with your public, who may be concerned about critical services.  They were able to learn from each other and foundationally build the muscle of that global cyber coalition that we seek.”

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://therecord.media/counter-ransomware-initiative-expands-neuberger

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!