One week into the newly formed Ransomware Task Force initiative, the organization has proposed key actions to combat the ongoing and evolving threat.
The Ransomware Task Force Thursday published an 81-page report that presented five priority recommendations to governments to better respond to and prevent ransomware attacks. The task force, which was launched in December 2020, is a public-private partnership created by the Institute for Security and Technology (IST) and composed of infosec professionals from various vendors such Microsoft, Palo Alto Networks and Rapid7. The IST group is different than the recently announced Department of Justice task force, which was announced last week, though the two groups will work together.
A significant part of the recommended actions in the report involve disrupting the illicit economy around ransomware, which is typically financed through cryptocurrencies. Threat actors often demand ransom payments in different forms of cryptocurrency, from bitcoin to Monero, because it's difficult to trace. The report highlights the importance of disrupting that model business for cybercriminals by implementing tighter regulations and building more expertise around cryptocurrency tracking. Over 60 experts from industry, government, law enforcement, civil society and international organizations contributed to the recommendations in the report.
During a press conference Thursday to discuss the report, Department of Homeland Security Secretary Alejandro Mayorkas called ransomware a "threat to national security and something that we all need to prioritize and invest in -- from big healthcare facilities to small businesses." It is not the first time Mayorkas referred to ransomware as a national threat.
Mayorkas' comment also reiterated an important part of the report, which recommended raising the priority of ransomware within the U.S. intelligence community, designating it as a national security threat. Ransomware attacks have threatened critical infrastructure and pose risks to health and safety.
"These incidents not only cost the victims millions of dollars in recovery, but they have also led to delays in patient treatment, and possibly loss of life," the report said.
According to the report, the ransomware problem has steadily grown worse in recent years, and in 2020, nearly 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware. The impacts of COVID-19 contributed to that increase as threat actors targeted those vulnerable sectors that could not afford the downtime of encrypted machines that occurs during a ransomware attack. Between the downtime and ransom demands, these attacks are only increasing in cost. According to the report, victims paid $350 million in 2020, a 311% increase over the prior year. Those profits were all paid in cryptocurrency.
"Multiple organizations have issued reports on the costs of ransomware, and while their exact figures vary, all consistently show a steady increase in the number of attacks -- and damaging economic impact," the report said.
Disrupting ransomware payments
Because the explosion of ransomware "as a lucrative criminal enterprise" is connected to the rise of bitcoin and other cryptocurrencies, the task force is focusing on ways to hinder their ability to hide funds. But cybercriminals have been using this method to evade law enforcement for years, and have only improved on it to further gain anonymity.
To begin to combat these far-reaching, consequential attacks the report recommended that governments more closely regulate cryptocurrency organizations. "Governments should require cryptocurrency exchanges, crypto kiosks and over-the-counter (OTC) trading 'desks' to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws," the report said.
Increased regulation on exchanges and other cryptocurrency services could improve transparency into cybercriminals' financial activity and help forensic investigators and law enforcement trace ransom payments to threat actors.
In addition, the report recommended establishing Cyber Response and Recovery Fund "to support ransomware response and other cybersecurity activities; mandate that organizations report ransom payments and require organizations to consider alternatives before making payments." The task force also recommended implementing mandatory disclosures of ransom payments and incentivizing information sharing between cryptocurrency services and law enforcement.
Ransom payments have continued to rise. According to the report, the average payment in 2020 exceeded $300,000, a 171% increase compared to 2019. A new report Monday by Coveware, one of the vendors that also contributed to the report, showed that number is only increasing in the first quarter of 2021.
Some infosec experts have argued that giving into ransom demands will lead to more attacks. However, the Coveware report showed that payments may also be contributing to better attacks.
Because ransomware attacks are a global concern, the task force said governments and private-sector organizations around the world should collaborate on this effort, as well as all recommendations in the report. Overall, collaboration is an important theme in the report, which said there is a lack of reliable, representative data about ransomware's scope and scale.
"Further information about ongoing ransomware threats does not yet reach as much of the digital ecosystem as it should -- to include both across sectors of private industry or within responsible governmental departments and agencies," the report said.