In September, the Institute for Security and Technology (IST) attended the 2024 International Counter Ransomware Initiative (CRI), the fourth annual gathering of over 70 member states and entities, including the European Union, the Organization for American States, and INTERPOL, to bolster collective resilience to ransomware. IST was honored to participate in the CRI Summit as a member of the newly-launched Public-Private Sector Advisory Panel, to convene a panel discussion for member states on information sharing in the ransomware payment ecosystem, and to co-host with the Center for Cybersecurity Policy and Law a day of industry dialogue on the sidelines.
Ransomware attacks show no sign of slowing down, according to the Ransomware Task Force (RTF)’s 2023 Global Ransomware Incident Map, published last month. In fact, according to data leak site source ecrime.ch, 2023 saw a 73% year-over-year increase in attacks. What does this increase mean for 2024 and beyond? And what should private and public sector stakeholders be doing to tackle the threat?
As the inaugural Ransomware Task Force report emphasized, globally-coordinated efforts to deter ransomware attacks, disrupt the ransomware business model, help organizations prepare, and respond to attacks more effectively are crucial. The CRI is one such initiative to coordinate these efforts on a global scale.
Director of Strategic Communications Sophia Mauro sat down with Ransomware Task Force colleagues Future of Digital Security Associate Trevaughn Smith, Deputy Director for Digital Security Taylor Grossman, Senior Director for International Cyber Engagement Elizabeth Vish, and Chief Strategy Officer and RTF Executive Director Megan Stifel to learn more.
Read the full interview in the October edition of IST’s newsletter, The TechnologIST.
Q: As one of the co-authors of the Ransomware Task Force’s global incident map, can you set the stage for me? What is the state of the ransomware threat, how has the ecosystem changed since 2022, and what are the main trends you’re seeing?
Tre: “In 2022, several international incidents, such as Russia’s invasion of Ukraine, likely led to a decrease in ransomware activity. But that dip is officially over. Looking at the 2023 data we analyzed from ecrime.ch, we observed 6,670 ransomware incidents in 117 countries. Some ransomware gangs, like 8Base, rely on typical phishing and business email compromise strategies to launch ransomware attacks. Others, like CL0P, use zero-day vulnerabilities that carry high risk yet offer high reward, as demonstrated by their devastating MOVEit hack in 2023, which compromised dozens of businesses and exposed the sensitive data of millions of people.”
Q: As a co-author of the 2023 global incident map, what do you think we should be looking for in 2024 and beyond? Have government actions – disruption efforts, response capabilities, preparation resources – made an impact?
Taylor: “For 2024, we’re very interested in looking at the effects of major multilateral disruptions, such as the Operation Cronos targeting of LockBit. Although LockBit was the most consistent and stable of any group we tracked from 2023, Operation Cronos appears to have had some impact on the group’s ability to act and on its broader credibility within the RaaS community. The efficacy of law enforcement takedowns is a major point of debate among ransomware researchers; it will be important to see the full data from this year to track the effects of this particular operation.
We also continue to support ransomware prevention methods, such as adoption of the Blueprint for Ransomware Defense, which we developed together with the Center for Internet Security based on their Critical Security Controls. Ultimately, I think that efforts to implement secure by design architecture will be among the most robust long-term solutions to combating ransomware.”
Q: IST has participated in the International Counter Ransomware Initiative for three years now, providing research, analysis, and support to CRI members. Can you tell me about the CRI’s progress over the last three years?
Elizabeth: “During the three years that IST has participated, there have been dialogues between members on challenges like cyber incident reporting and reducing the laundering of ransomware payments in and out of cryptocurrencies. However, there has been less progress in facilitating collaboration between private industry and the CRI members (though of course many members have direct collaboration). Under the CRI and in partnership with the Global Forum on Cyber Expertise and with the support of the Spanish and U.S. governments, IST conducted research into effective public-private partnerships to combat ransomware and we are really pleased that the findings of that research have been incorporated into the Initiative’s efforts to engage industry and civil society moving forward.”
Q: At this year’s CRI gathering, IST was announced as a member of the newly-launched Public-Private Sector Advisory Panel, led by Canada. What does this Advisory Panel seek to accomplish? And how will IST and the Ransomware Task Force play a role?
Elizabeth: “Many RTF members have indicated a desire to contribute to the CRI’s efforts—a real ‘put me in, coach’ attitude! The Public-Private Sector Advisory Panel, convened by Canada with support from other CRI members, brings together six private entities to provide advice, guidance, and recommendations to CRI members. We are hoping that this is a start that will continue to grow and expand after this initial year one group.”
Q: Tell me more about the joint IST-CCPL event on the sidelines of the CRI to spotlight the crucial role of industry. What were some of your key takeaways?
Megan: “Outside the limited-participation CRI plenary sessions that select industry partners were invited to join, this was the first substantive opportunity for the two communities to engage under the CRI tent. The ‘put me in, coach’ theme Elizabeth noted was quite evident at the Thursday event and participants expressed an interest in additional areas for conversation and collaboration. As conveners of the RTF and a critical action think tank, we want those engagements to be as action-oriented as possible. So we are actively exploring ways to bring together CRI member countries and industry partners, including through table top exercises and country- and region-specific RTF studies.
Q: Now that the four-day meeting has come to an end, member states will work to advance the policies and commitments made during the ICRI. How should industry be involved in advancing these commitments?
Megan: “Since the first CRI we joined in the fall of 2022, we have been adamant that industry is a critical partner to the CRI in achieving its objectives. Industry should leverage the Public-Private Sector Advisory Panel and its members to share their perspectives on how ransomware is evolving and areas in which industry may have the upper hand in thwarting ransomware actors’ criminal activities. Information sharing with and among industry is still a nascent issue for many CRI members; industry has a great opportunity to shine the spotlight on how partnering with them is a win-win for CRI members and their citizens.”