The Institute for Security and Technology (“IST”) convened the Ransomware Task Force (“RTF”) — a broad coalition of over 60 stakeholders including volunteer experts from industry, government, law enforcement, civil society, cybersecurity insurers, and international organizations — to address the growing problem of ransomware. Their report, issued April 29, 2021, promotes a systemic, global approach to mitigating the growing threat of ransomware and offers a framework of recommendations on what industry and government can do to help address the global problem.

The key theme of the report and Framework is the designation of ransomware as a national security threat, linking the impacts of recent attacks to broader threats to critical national infrastructure and public health. Building on this elevated designation, the recommendations made throughout the Framework collectively support the creation of a more centralized and standardized approach to handling not only ransomware attacks individually, but also the environment that facilitates these criminal activities.

The Growing Problem

Ransomware is a sub-category of malware, a class of software designed to cause harm to a computer or computer network. The Cybersecurity and Infrastructure Security Agency (“CISA”) defines ransomware in its “Ransomware Guidance and Resources” materials as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

Ransomware has grown as a problem for both public and private enterprises over the last several years, with 2020 and the impact of COVID-19 on operations accelerating the threat. In 2020 “nearly 2,400 U.S.-based governments, healthcare facilities, and schools were victims of ransomware”, according to the security firm Emsisoft. The impact of ransomware extends beyond the immediate threat and costs associated with potential ransom payments. The reported payments alone typically represent only a small part of the overall cost to a victim, as reported payments do not cover the costs associated with service, downtime, recovery, or reputational impact.  In sum, the costs for remediating the full extent of a ransomware attack exceed several times the ransom payment. As indicated by the IST report, reducing the ransomware threat will require cooperation between the public and private sector, as well as international coordination due to the “highly decentralized nature of cryptocurrency, dispersed nature of the criminal networks involved, the internet’s basic infrastructure, and the differing legal and regulatory regimes around the world.”

The Recommended Framework

The Framework consists of a total of 48 inter-related recommendations organized around four goals: (1) deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; (2) disrupt the ransomware business model and reduce criminal profits; (3) help organizations prepare for ransomware attacks; and (4) respond to ransomware attacks more effectively.

As indicated by the first goal, the Framework makes evident the need for a larger role for governments in coordinating a more comprehensive and structured, public-private, approach to managing the threat of ransomware. The following represent Paul Hastings’ understanding of the key recommendations from the Framework in advancing that cause: 

1. Developing and documenting a coordinated international approach to directing nation-states away from providing safe havens to ransomware criminals. Using either sticks or carrots, an international cohort is needed to project a unified front against any nation-states engaging in or harboring associated with ransomware attacks.

2. Establishing a formal interagency working group and task force within the United States government, as directed by the White House, to coordinate a unified approach to ransomware. An informal private-industry threat detection cooperative should complement this governmental led effort.

3. Mandating that all ransomware payments be reported, both in the US and abroad, to national authorities – including a requirement that victims, incident response firms, and cyber insurance companies all report the attack and any payments or findings.  As a compliment, where feasible, governments should consider developing a Cyber Response and Recovery Fund to support ransomware response and other cybersecurity activities for small and mid-size businesses.

4. Establishing an international framework to help organizations prepare for, and respond to, ransomware attacks – this should be applicable across sectors and provide actionable and broadly adoptable criteria. This may be established in a similar manner to other internationally recognized frameworks (e.g., National Institute of Standard and Technology (“NIST”) or International Organization for Standardization (“ISO”) control frameworks).

5. Establishing minimum requirements for crypto currency – in the US and abroad – that will require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading desks to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.

The impacts of ransomware globally have become increasingly apparent, and the Framework provides a thoroughly considered and practicable approach to beginning to tackle the growing threat. Its publication comes at a time when other groups, both public and private, including the U.S. Department of Justice (“DOJ”), Europol and the U.K. National Crime Agency, have all advocated for changes in how governments and private industry confront ransomware. In advance of the publication of the Framework, the DOJ convened its own new Ransomware and Digital Extortion Task Force, consisting of officials from the agency’s National Security Division, Criminal Division, Civil Division, Executive Office of U.S. Attorneys and FBI. A primary initiative of the new DOJ taskforce is a 120-day review of the department’s approach to cyber threats with the intent of identifying new ways to reduce the volume and impact of ransomware and other attacks, as well as investigating the role of cryptocurrencies in facilitating the criminal ecosystem underlying cybercrimes. While it remains to be seen how the IST report and Framework recommendations will be received, it is clear that the need to address the global problem of ransomware has gained significant attention.