Ransomware Task Force (RTF)

Combating the Ransomware Threat with a Cross-Sector Approach

The Ransomware Task Force (RTF) is a multistakeholder effort with participation from across government, industry, and civil society. Together, the RTF aims to identify and advance recommendations to reduce the risk of ransomware. Days before the Colonial Pipeline attack in May 2021, the RTF published a cornerstone report offering 48 recommendations primarily directed at governments and industry to better combat ransomware.

Since the report’s release, the U.S. government and its partners have intensified disruption efforts, increased information sharing, and developed more comprehensive ransomware mitigation and recovery strategies. However, as of April 2024, our assessment is that 24 of our 48 recommendations have yet to see substantial progress. IST’s view is that the 48 original recommendations remain relevant and important to implement. These remaining 24 recommendations are more difficult to implement; in the United States, many would require legislative action.

The work of the Ransomware Task Force continues to accelerate, with several discrete lines of effort continuing to build upon the findings of the RTF Report, synthesize the lessons learned and shared among our members and supporters, and adapt to the evolving ransomware threat itself. For 2024, the RTF continues work in the following areas:

  • Payments Working Group
  • International Engagement Working Group
  • Cyber Insurance Roundtable Series
  • Blueprint for Ransomware Defense Working Group
  • Ransomware Incident Response Network (RIRN)
  • Victim Notification Working Group

Latest from the Ransomware Task Force

Strengthening Brazil’s Cybersecurity: The Brazil Ransomware Task Force
In September 2024, IST Senior Director for International Cyber Engagement Elizabeth Vish and Future for Digital Security Associate Gigi Flores Bustamante attended the first convening of Brazil’s Ransomware Task Force, co-organized by the Ministry of Foreign Affairs of Brazil, the Organization of American States, and IST. Gigi shared her reflections on the conference and launching the first international wing of the RTF.
November 2024 | Blog

2023 RTF Global Ransomware Incident Map: Attacks Increase by 73%, Big Game Hunting Appears to Surge
According to the Ransomware Task Force’s fourth Global Ransomware Incident Map, ransomware attacks increased 73% in 2023. Using Ecrime.ch data, the map analyzes incidents across 117 countries originating from 66 ransomware groups.
September 2024 | Blog

Prepare, Don’t Pay: A Quick-Start Guide to Defending Against Ransomware
Written for the small business owner, this quick-start guide breaks down important components of the Blueprint for Ransomware Defense and its underlying core technical concepts, critical Safeguards and defensive measures, and explains how you can make the Blueprint work for your small- or medium-sized enterprise.
August 2024 | Blog

Meet the Ransomware Task Force Steering Committee
The Ransomware Task Force Steering Committee, composed of 12 individuals from the technology, financial services, legal, and academic sectors, meets biannually to identify strategic opportunities for engagement, provide guidance to help shape the Task Force’s outcomes and timelines, and recruit additional expertise and supporters to the effort. Together, this important group ensures that the RTF remains on top of the latest ransomware trends. 
June 2024 | Blog

24 in ’24: Doubling Down on the Ransomware Task Force Recommendations | Third Ransomware Task Force Anniversary Event
On April 24, the RTF gathered 43 speakers from across the cybersecurity ecosystem, with 5 panels focused on deterrence, disruption, preparation, response, and payments, 2 fireside chats, and 4 keynote speakers.
April 2024 | Event

Doubling Down: April 2024 Progress Report
While the U.S. government and its partners made great strides in combating ransomware this year, attacks have only increased. Of the 48 recommendations made in the Ransomware Task Force Report, our assessment remains unchanged from a year ago: only 24 have seen significant progress. 
April 2024 | Progress Report

Information Sharing in the Ransomware Payment Ecosystem: Exploring the Delta Between Best Practices and Existing Mechanisms
How important is information sharing in the fight against ransomware? This report draws from a recent attack scenario exercise performed by the RTF Payments working group, comparing our results to 3 successful disruption operations to identify gaps in the formal federal information sharing mechanisms in the United States.
April 2024 | Report

Congressional Testimony: Held for Ransom: How Ransomware Endangers Our Financial System
On April 16, 2024, Chief Strategy Officer and Ransomware Task Force Executive Director Megan Stifel testified before the House Committee on Financial Services Subcommittee on National Security, Illicit Finance, and International Financial Institutions for a hearing entitled, “Held for Ransom: How Ransomware Endangers Our Financial System.”
April 2024 | Congressional Testimony

Roadmap to Potential Prohibition of Ransomware Payments
On April 10, 2024, as the debate on ransomware payment bans continues, Ransomware Task Force co-chairs released their Roadmap to Potential Prohibition of Ransomware Payments – 16 steps that could reduce the need for a ban or facilitate effective eventual imposition of a ban.
April 2024 | Memo

Ransomware Roundup: Popup Webinar
On Monday, April 15, adjunct advisors and members of the Ransomware Task Force Jen Ellis, Allan Liska, Jason Kikta, Marc Rogers, and Silas Cutler hosted a popup webinar on the latest in ransomware news.
April 2024 | Webinar

Public Private Partnerships to Combat Ransomware: An Inquiry Into Three Case Studies and Best Practices
This research report examines three existing public-private partnerships to combat ransomware: Europol’s European Cybercrime Centre (EC3), the United States Joint Cyber Defense Collaborative (JCDC), and the Institute for Security and Technology’s Ransomware Task Force (RTF). Through research and interviews with stakeholders, the report aims to determine the characteristics of collaboration that make the partnership model successful in mitigating ransomware, as well as identifying the various challenges each faces. IST conducted this research in collaboration with the Global Forum on Cyber Expertise (GFCE), with funding from the governments of the United States and Spain, and in support of the International Counter Ransomware Initiative.
March 2024 | Report

Key Ransomware Task Force Publications

Combating Ransomware: A Comprehensive Framework for Action
In April 2021, the Ransomware Task Force launched its seminal report, Combating Ransomware: A Comprehensive Framework for Action. The product of over 60 experts from industry, government, law enforcement, civil society, and international organizations, this report provides 48 specific recommendations and advocates for a unified, aggressive, comprehensive, public-private anti-ransomware campaign.
April 2021 | Report

Blueprint for Ransomware Defense: An Action Plan for Ransomware Mitigation, Response, and Recovery for Small- and Medium-Sized Enterprises
The Ransomware Task Force called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.” The basis for this Blueprint for Ransomware Defense is the CIS Controls, a set of well-regarded and widely-used best practices that help enterprises focus their resources on the critical actions needed to defend against the most common cyber attacks. It includes a subset of these best practices, or “Safeguards,” that are most relevant to combating ransomware.
August 2022 | Report

Mapping the Ransomware Payment Ecosystem: A Comprehensive Visualization of the Process and Participants
Mapping the Ransomware Payment Ecosystem, released in Fall 2022, develops a common understanding of the actors, stakeholders, processes, and information, both required for and produced during the ransomware payment process.
November 2022 | Report

Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot
This mini-pilot overlays actual threat actor behavior on the original ransomware payment ecosystem map. It seeks to identify which kinds of disruption could be the most effective and where to apply them in the payment process.
May 2023 | Report

Cyber Incident Reporting Framework
A group led by Cyber Threat Alliance and the Institute for Security and Technology that includes CREST, CipherTrace, Coveware, Cybera, Cybercrime Support Network, Cyber Peace Institute, Open Cybersecurity Alliance, and SolarWinds came together to provide input regarding cyber incident reporting. They developed a set of model reporting formats the Cybersecurity and Infrastructure Security Agency (CISA) could use as the foundation for the reporting forms.
November 2022 | Report

Cyber Incident Reporting Framework: Global Edition
A group led by the Cyber Threat Alliance and the Institute for Security and Technology released the Cyber Incident Reporting Framework: Global Edition. The framework answers questions about what conditions should be in place to make a reporting mandate effective and harmonizes suggested definitions with existing global regulations.
March 2023 | Report

Progress Reports
As part of our ongoing mission to counter the ransomware threat, the Ransomware Task Force continually reflects on its original recommendations and monitors policy changes across industry and government. We engage with these findings openly, and work with our members to be agile in our ongoing recommendations.
April 2022, April 2023, and April 2024 | Progress Reports

Ransomware Task Force Organization

Effectively combating ransomware requires the dedicated, prioritized attention of experts across industry and government. IST was honored to have the opportunity to convene and work with this groundbreaking coalition and interdisciplinary group of leaders on the Ransomware Task Force. 

The RTF consists of over 60 members from software companies, government agencies, cybersecurity vendors, financial services companies, nonprofits, and academic institutions working together on a comprehensive framework of actionable solutions. Their work synthesized best practices across sectors, identified solutions in all steps of the ransomware kill chain, targeted gaps in solution application, and engaged stakeholders across industries to coalesce around a diverse set of ideas and solutions.

The Ransomware Task Force (RTF) Steering Committee consists of senior stakeholders and experts that approach the RTF from an objective, ecosystem-wide perspective to help drive outcomes and ensure the effectiveness of ongoing work. The Steering Committee provides high-level support, guidance, and oversight of RTF progress and ensures that lines of effort are impactful, efficient, and in line with existing work. 

The Ransomware Task Force Co-Chairs are leaders, experts, and conveners in the cybersecurity space. Focusing on distinct lines of effort, they have been an integral part of the RTF’s efforts since 2021 and continue to play a crucial role in Ransomware Task Force implementation and impact.

The Institute for Security and Technology continues to lead the work of the Ransomware Task Force. Members of the IST Ransomware Task Force Team guide working groups, conduct research, and advance RTF lines of effort.

Ransomware Task Force Events

24 in ’24: Doubling Down on Ransomware Task Force Recommendations

April 24, 2024
The Ransomware Task Force’s annual convening returned this year for 24 in ‘24: Doubling Down on the Ransomware Task Force Recommendations. As of May 2023, 50% of the Ransomware Task Force’s original 48 recommendations have seen significant progress–but what about the other 24? On April 24, we zeroed in on those 24 and discussed how we might redouble our efforts.

Ransomware Task Force: Gaining Ground

May 5, 2023
Ransomware remains a dire threat to businesses, schools, hospitals, individuals, and nations alike. Two years after publishing its groundbreaking report with recommendations to combat the threat of ransomware, the Ransomware Task Force is more active and more prolific than ever, deepening engagement in lines of effort and finding new ways to tackle the problem. On May 5, 2023, we hosted a day of reflections on the current status of the ransomware threat, the Ransomware Task Force’s efforts, and what’s to come. 

Combating Ransomware: A Year of Action

May 22, 2022
Over the course of 2021, ransomware attacks continued to plague institutions of all sizes—but thanks in part to the timely and comprehensive recommendations of the Ransomware Task Force, governments were more engaged and organizations are more focused on equipping themselves with the tools and policies needed to counter this threat. As the RTF completed its first year of impact, we hosted a day of reflections, predictions, and connections on how we can continue to combat ransomware in 2022 and beyond.


Original RTF Members and Line of Effort Participants

a16z
Amazon Web Services
Aspen Digital
Aviation ISAC
Banco Santander
Bank of America
Blackbaud
BlueVoyant
Center for Internet Security
CFC Underwriting
Chainalysis
CipherTrace
Cisco
Citrix
Coveware
CrowdStrike
CyberPeace Foundation
The CyberPeace Institute
Cybereason
Cyber Threat Alliance
Cybera
CyberArk
Cybersecurity Coalition
Datto
Deloitte
Ernst & Young
FireEye
Jefferson County, CO
K12 SIX

McAfee
Microsoft
National Governors Association
New York Department of Financial Services (NYDFS)
Palo Alto Networks
Rapid7
Recorded Future
Red Canary
Redacted
Resilience
Royal Canadian Mounted Police’s National Cybercrime Coordination Unit (NC3)
SecurityScorecard
The Shadowserver Foundation
Stratigos Security
Team Cymru
Third Way
University of Oxford Blavatnik School of Government
U.K. National Cyber Security Centre (NCSC)
U.K. National Crime Agency (NCA)
U.S. Cybersecurity and Infrastructure Security Agency (CISA)
U.S. Federal Bureau of Investigation (FBI)
U.S. Secret Service (USSS)
U.T. Austin Strauss Center