Since launch in April 2021, the Ransomware Task Force (RTF) unites key stakeholders across industry, government, and civil society to innovate new solutions, break down silos, and find effective new methods of countering the ransomware threat.
Ransomware is a prevalent and destructive type of cybercrime, with increasingly dangerous physical consequences. Hospitals, school districts, city governments, public infrastructure, and countless other organizations have found their networks and data held hostage by malicious actors seeking monetary gain. The RTF aims to equip businesses, organizations, and governments of all sizes to prepare for these attacks, effectively respond, and quickly recover.
The RTF hosted an online launch event on April 29th, 2021 with a powerhouse lineup of the experts that led the RTF process, and keynote remarks by the Honorable Alejandro N. Mayorkas, U.S. Secretary of Homeland Security.
On May 20 2022, the RTF hosted a one-year reflective, featuring keynote addresses by National Cyber Director Chris Inglis and Deputy Attorney General Lisa Monaco, fireside chat sessions with current and former CISA directors Jen Easterly and Chris Krebs; and showcase three focused panel discussions, positioning itself and its participating members for accelerated impact in 2022 and beyond. On May 5, 2023, the RTF hosted Gaining Ground: Two Years of Implementation and Impact, a day of reflections on the current status of the ransomware threat, the Ransomware Task Force’s efforts, and what’s to come.
The Ransomware Task Force Report
Combating Ransomware: A Comprehensive Framework for Action:
Key Recommendations from the Ransomware Task Force | April 2021
In April 2021, the Ransomware Task Force launched its seminal report, Combating Ransomware: A Comprehensive Framework for Action. The product of over 60 experts from industry, government, law enforcement, civil society, and international organizations, the report provided 48 specific recommendations and advocated for a unified, aggressive, comprehensive, public-private anti-ransomware campaign.
The Blueprint for Ransomware Defense
The Blueprint for Ransomware Defense
An Action Plan for Ransomware Mitigation, Response, and Recovery for Small- and Medium-sized Enterprises | August 2022
The Ransomware Task Force called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.” The basis for this Blueprint for Ransomware Defense is the CIS Controls, a set of well-regarded and widely-used best practices that help enterprises focus their resources on the critical actions needed to defend against the most common cyber attacks. It includes a subset of these best practices, or “Safeguards,” that are most relevant to combating ransomware.
Mapping the Ransomware Payment Ecosystem
Mapping the Ransomware Payment Ecosystem:
A Comprehensive Visualization of the Process and Participants | November 2022
The Institute for Security and Technology’s Ransomware Task Force (RTF) is working to further illuminate the ransomware payment ecosystem as part of our efforts to improve the information environment and blunt the ability for criminal and other malign actors to profit from ransomware attacks, and thereby stop engaging in ransomware for profit.
Mapping the Ransomware Payment Ecosystem, released in Fall 2022, develops a common understanding of the actors, stakeholders, processes, and information, both required for and produced during the ransomware payment process. Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot, released in May 2023, overlays actual threat actor behavior on the original ransomware payment ecosystem map. It seeks to identify which kinds of disruption could be the most effective and where to apply them in the payment process.
As part of our ongoing mission to counter the ransomware threat, the Ransomware Task Force continually reflects on its original recommendations and monitors policy changes across industry and government. We engage with these findings openly, and work with our members to be agile in our ongoing recommendations.
Cyber Incident Reporting Framework
A group led by Cyber Threat Alliance and the Institute for Security and Technology that includes CREST, CipherTrace, Coveware, Cybera, Cybercrime Support Network, Cyber Peace Institute, Open Cybersecurity Alliance, and SolarWinds came together to provide input regarding cyber incident reporting in November 2022. They developed a set of model reporting formats the Cybersecurity and Infrastructure Security Agency (CISA) could use as the foundation for the reporting forms. The report contains 3 sections:
- Purpose, Expectations, and Definitions
- Incident Reporting Fields
In March 2023, a group led by the Cyber Threat Alliance and the Institute for Security and Technology released the Cyber Incident Reporting Framework: Global Edition. The framework answers questions about what conditions should be in place to make a reporting mandate effective and harmonizes suggested definitions with existing global regulations.
Ongoing Lines of Effort
The work of the Ransomware Task Force continues to accelerate, with several discrete lines of effort continuing to build upon the findings of the RTF Report, synthesize the lessons learned and shared among our members and supporters, and adapt to the evolving ransomware threat itself. For 2022, the RTF continues work in the following areas:
- Cyber Insurance Roundtable Series
- Cryptocurrency Working Group
- Blueprint for Ransomware Defense Working Group
- Victim Notification Working Group
- International Engagement Working Group
Effectively combating ransomware requires the dedicated, prioritized attention of experts across industry and government. IST was honored to have the opportunity to convene and work with this groundbreaking coalition and interdisciplinary group of leaders on the Ransomware Task Force.
The RTF consists of over 60 members from software companies, government agencies, cybersecurity vendors, financial services companies, nonprofits, and academic institutions working together on a comprehensive framework of actionable solutions. Their work synthesized best practices across sectors, identified solutions in all steps of the ransomware kill chain, targeted gaps in solution application, and engaged stakeholders across industries to coalesce around a diverse set of ideas and solutions.
Ransomware Task Force Steering Committee
The Ransomware Task Force (RTF) Steering Committee consists of senior stakeholders and experts that approach the RTF from an objective, ecosystem-wide perspective to help drive outcomes and ensure the effectiveness of ongoing work. The Steering Committee provides high-level support, guidance, and oversight of RTF progress and ensures that lines of effort are impactful, efficient, and in line with existing work.
RTF Steering Committee Members
RTF Working Group Co-Chairs
The Ransomware Task Force Working Group Co-Chairs are leaders, experts, and conveners in the cybersecurity space. Focusing on distinct lines of effort, they have been an integral part of the RTF’s efforts since 2021 and continue to play a crucial role in Ransomware Task Force implementation and impact.
Members and Line of Effort Participants Are From
Amazon Web Services
Bank of America
Center for Internet Security
The CyberPeace Institute
Cyber Threat Alliance
Ernst & Young
Jefferson County, CO
National Governors Association
New York Department of Financial Services (NYDFS)
Palo Alto Networks
Royal Canadian Mounted Police’s National Cybercrime Coordination Unit (NC3)
The Shadowserver Foundation
University of Oxford Blavatnik School of Government
U.K. National Cyber Security Centre (NCSC)
U.K. National Crime Agency (NCA)
U.S. Cybersecurity and Infrastructure Security Agency (CISA)
U.S. Federal Bureau of Investigation (FBI)
U.S. Secret Service (USSS)
U.T. Austin Strauss Center
Announcements and Events
May 2023: Event – Gaining Ground: Two Years of Implementation and Action
May 2022: Event – Combating Ransomware: A Year of Action
April 2022: IST Joins Cyber Civil Defense Initiative
February 2022: RTF Announces New Funding
April 2021: Launch Press Release
December 2020: Inaugural Press Release
Emergency Cybersecurity and Ransomware Notice (March 12, 2021)