Ransomware Task Force (RTF)

Combating the Ransomware Threat with a Cross-Sector Approach

Since launch in April 2021, the Ransomware Task Force (RTF) unites key stakeholders across industry, government, and civil society to innovate new solutions, break down silos, and find effective new methods of countering the ransomware threat.

Ransomware is a prevalent and destructive type of cybercrime, with increasingly dangerous physical consequences. Hospitals, school districts, city governments, public infrastructure, and countless other organizations have found their networks and data held hostage by malicious actors seeking monetary gain. The RTF aims to equip businesses, organizations, and governments of all sizes to prepare for these attacks, effectively respond, and quickly recover.

The RTF hosted an online launch event on April 29th, 2021 with a powerhouse lineup of the experts that led the RTF process, and keynote remarks by the Honorable Alejandro N. Mayorkas, U.S. Secretary of Homeland Security. On May 20 2022, the RTF hosted a one-year reflective, featuring keynote addresses by National Cyber Director Chris Inglis and Deputy Attorney General Lisa Monaco, fireside chat sessions with current and former CISA directors Jen Easterly and Chris Krebs; and showcase three focused panel discussions, positioning itself and its participating members for accelerated impact in 2022 and beyond. On May 5, 2023, the RTF hosted Gaining Ground: Two Years of Implementation and Impact, a day of reflections on the current status of the ransomware threat, the Ransomware Task Force’s efforts, and what’s to come. On April 24, 2024, the RTF will host 24 in ’24: Doubling Down on the Ransomware Task Force Recommendations, its third anniversary event that aims to zero in on the 24 recommendations that have not seen significant progress.

The Ransomware Task Force Report

Combating Ransomware: A Comprehensive Framework for Action:
Key Recommendations from the Ransomware Task Force | April 2021

In April 2021, the Ransomware Task Force launched its seminal report, Combating Ransomware: A Comprehensive Framework for Action. The product of over 60 experts from industry, government, law enforcement, civil society, and international organizations, the report provided 48 specific recommendations and advocated for a unified, aggressive, comprehensive, public-private anti-ransomware campaign.

The Blueprint for Ransomware Defense

The Blueprint for Ransomware Defense
An Action Plan for Ransomware Mitigation, Response, and Recovery for Small- and Medium-sized Enterprises | August 2022

The Ransomware Task Force called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.” The basis for this Blueprint for Ransomware Defense is the CIS Controls, a set of well-regarded and widely-used best practices that help enterprises focus their resources on the critical actions needed to defend against the most common cyber attacks. It includes a subset of these best practices, or “Safeguards,” that are most relevant to combating ransomware.

Roadmap to Potential Prohibition of Ransomware Payments

April 2024

“We, the RTF Co-Chairs, have developed steps that governments and the private sector could take together to reduce the need for a prohibition on ransomware payments, or alternatively could provide a roadmap to facilitate an eventual imposition of a prohibition of ransomware payments.”

This memo from the Ransomware Task Force Co-Chairs outlines 16 proposed milestones along 4 lines of effort, primarily based on recommendations first outlined in the Ransomware Task Force report.

Public-Private Partnerships to Combat Ransomware

An Inquiry into Three Case Studies and Best Practices | March 2024

This research report examines three existing public-private partnerships to combat ransomware: Europol’s European Cybercrime Centre (EC3), the United States Joint Cyber Defense Collaborative (JCDC), and the Institute for Security and Technology’s Ransomware Task Force (RTF). Through research and interviews with stakeholders, the report aims to determine the characteristics of collaboration that make the partnership model successful in mitigating ransomware, as well as identifying the various challenges each faces.

IST conducted this research in collaboration with the Global Forum on Cyber Expertise (GFCE), with funding from the governments of the United States and Spain, and in support of the International Counter Ransomware Initiative.

Mapping the Ransomware Payment Ecosystem

Mapping the Ransomware Payment Ecosystem:
A Comprehensive Visualization of the Process and Participants | November 2022

The Institute for Security and Technology’s Ransomware Task Force (RTF) is working to further illuminate the ransomware payment ecosystem as part of our efforts to improve the information environment and blunt the ability for criminal and other malign actors to profit from ransomware attacks, and thereby stop engaging in ransomware for profit.

Mapping the Ransomware Payment Ecosystem, released in Fall 2022, develops a common understanding of the actors, stakeholders, processes, and information, both required for and produced during the ransomware payment process. Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot, released in May 2023, overlays actual threat actor behavior on the original ransomware payment ecosystem map. It seeks to identify which kinds of disruption could be the most effective and where to apply them in the payment process.

Progress Reports

As part of our ongoing mission to counter the ransomware threat, the Ransomware Task Force continually reflects on its original recommendations and monitors policy changes across industry and government. We engage with these findings openly, and work with our members to be agile in our ongoing recommendations.

Cyber Incident Reporting Framework

A group led by Cyber Threat Alliance and the Institute for Security and Technology that includes CREST, CipherTrace, Coveware, Cybera, Cybercrime Support Network, Cyber Peace Institute, Open Cybersecurity Alliance, and SolarWinds came together to provide input regarding cyber incident reporting in November 2022. They developed a set of model reporting formats the Cybersecurity and Infrastructure Security Agency (CISA) could use as the foundation for the reporting forms. The report contains 3 sections:

  1. Purpose, Expectations, and Definitions
  2. Principles
  3. Incident Reporting Fields

In March 2023, a group led by the Cyber Threat Alliance and the Institute for Security and Technology released the Cyber Incident Reporting Framework: Global Edition. The framework answers questions about what conditions should be in place to make a reporting mandate effective and harmonizes suggested definitions with existing global regulations.

Ongoing Lines of Effort

The work of the Ransomware Task Force continues to accelerate, with several discrete lines of effort continuing to build upon the findings of the RTF Report, synthesize the lessons learned and shared among our members and supporters, and adapt to the evolving ransomware threat itself. For 2022, the RTF continues work in the following areas:

  • Cyber Insurance Roundtable Series
  • Cryptocurrency Working Group
  • Blueprint for Ransomware Defense Working Group
  • Victim Notification Working Group
  • International Engagement Working Group

RTF Organization

Effectively combating ransomware requires the dedicated, prioritized attention of experts across industry and government. IST was honored to have the opportunity to convene and work with this groundbreaking coalition and interdisciplinary group of leaders on the Ransomware Task Force. 

The RTF consists of over 60 members from software companies, government agencies, cybersecurity vendors, financial services companies, nonprofits, and academic institutions working together on a comprehensive framework of actionable solutions. Their work synthesized best practices across sectors, identified solutions in all steps of the ransomware kill chain, targeted gaps in solution application, and engaged stakeholders across industries to coalesce around a diverse set of ideas and solutions.

Ransomware Task Force Steering Committee

The Ransomware Task Force (RTF) Steering Committee consists of senior stakeholders and experts that approach the RTF from an objective, ecosystem-wide perspective to help drive outcomes and ensure the effectiveness of ongoing work. The Steering Committee provides high-level support, guidance, and oversight of RTF progress and ensures that lines of effort are impactful, efficient, and in line with existing work. 

RTF Steering Committee Members

RTF Working Group Co-Chairs

The Ransomware Task Force Working Group Co-Chairs are leaders, experts, and conveners in the cybersecurity space. Focusing on distinct lines of effort, they have been an integral part of the RTF’s efforts since 2021 and continue to play a crucial role in Ransomware Task Force implementation and impact.

Members and Line of Effort Participants Are From

Amazon Web Services
Aspen Digital
Aviation ISAC
Banco Santander
Bank of America
Center for Internet Security
CFC Underwriting
CyberPeace Foundation
The CyberPeace Institute
Cyber Threat Alliance
Cybersecurity Coalition
Ernst & Young
Jefferson County, CO

National Governors Association
New York Department of Financial Services (NYDFS)
Palo Alto Networks
Recorded Future
Red Canary
Royal Canadian Mounted Police’s National Cybercrime Coordination Unit (NC3)
The Shadowserver Foundation
Stratigos Security
Team Cymru
Third Way
University of Oxford Blavatnik School of Government
U.K. National Cyber Security Centre (NCSC)
U.K. National Crime Agency (NCA)
U.S. Cybersecurity and Infrastructure Security Agency (CISA)
U.S. Federal Bureau of Investigation (FBI)
U.S. Secret Service (USSS)
U.T. Austin Strauss Center

Announcements and Events

April 2024: Event – 24 in 24: Doubling Down on the Ransomware Task Force Recommendations

May 2023: Event – Gaining Ground: Two Years of Implementation and Action

May 2022: Event – Combating Ransomware: A Year of Action

April 2022: IST Joins Cyber Civil Defense Initiative

February 2022: RTF Announces New Funding

April 2021: Launch Press Release

December 2020: Inaugural Press Release