A Comprehensive Framework for Action
Ransomware is no longer just a financial crime; it is an urgent national security risk that threatens schools, hospitals, businesses, and governments across the globe.
This is not a problem that any one entity can solve. Over 60 experts from industry, government, law enforcement, civil society, and international organizations worked together to produce this comprehensive framework, which breaks down siloed approaches and advocates for a unified, aggressive, comprehensive, public-private anti-ransomware campaign. These recommendations are informed by a deep bench of experts and are immediately actionable, together forming a framework to reduce this criminal enterprise.
It will take nothing less than our total collective effort to mitigate the ransomware scourge. Read the report now to learn our path forwards.
Updated 2021-09-23. On page 56, “Vineet Kumar, CyberPeace Foundation” has been added.
Updated 2021-04-30. On page 45, “Global Resilience Institute” has been corrected to “Global Resilience Federation.
We felt an urgent need to bring together world-class experts across all relevant sectors to create a ransomware framework that government and industry can pursue, and ensure the continued faith of the general public in its institutions.
Philip Reiner, IST CEO and Executive Director of the RTF
THANK YOU: This report is the result of an immense collective effort by the RTF Members, and we at IST are proud to have convened such an incredible group of experts. We sincerely thank the RTF members, who volunteered immense time and care to this effort, whose lively discussions and deep expertise led to these recommendations, and who dedicate themselves each day towards making the ransomware problem better.
Priority Recommendations
The RTF report includes 48 recommendations that together form a comprehensive framework to address ransomware. Among those, these priority recommendations are the most foundational and urgent, and many of the other recommendations were developed to facilitate or strengthen these core actions.
- Coordinated, international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
- The United States should lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House. This must include the establishment of 1) an Interagency Working Group led by the National Security Council in coordination with the nascent National Cyber Director; 2) an internal U.S. Government Joint Ransomware Task Force; and 3) a collaborative, private industry-led informal Ransomware Threat Focus Hub.
- Governments should establish Cyber Response and Recovery Funds to support ransomware response and other cybersecurity activities; mandate that organizations report ransom payments; and require organizations to consider alternatives before making payments.
- An internationally coordinated effort should develop a clear, accessible, and broadly adopted framework to help organizations prepare for, and respond to, ransomware attacks. In some under-resourced and more critical sectors, incentives (such as fine relief and funding) or regulation may be required to drive adoption.
- The cryptocurrency sector that enables ransomware crime should be more closely regulated. Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.
The Ransomware Task Force Framework
This strategic framework aims to help policymakers and industry leaders take system-level action — through potential legislation, funding new programs, or launching new industry-level collaborations — that will help the international community build resistance, disrupt the ransomware business model, and develop resilience to the ransomware threat.
The framework is organized around four goals: deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; disrupt the ransomware business model and reduce criminal profits; help organizations prepare for ransomware attacks; and respond to ransomware attacks more effectively.
These goals are interlocking and mutually reinforcing. For example, actions to disrupt the ransomware payments system will decrease the profitability of ransomware, thereby helping to deter other actors from engaging in this crime. Thus, this framework should be considered as a whole, not merely a laundry list of disparate actions.
Goal #1: Deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy
The number of actors capable of conducting ransomware attacks is large and growing, and to curb the growth of this threat in the long-term, steps must be taken to systemically discourage ransomware attacks. This deterrence must be multilayered and rely on all instruments of national power.
We propose a coordinated, effectively messaged, relentlessly executed deterrence campaign directed from the senior-most levels of the U.S. Government in real-time collaboration with international partners. The recommendations in this section are directly supplemented by the disruption activities recommended in Goal #2, as deterrence and disruption efforts go hand-in-hand.
This section includes recommendations like:
- International signaling that ransomware is an enforcement priority
- Global operational collaboration on ransomware takedowns
- Establish an operationally focused U.S. government Joint Ransomware Task Force (JRTF) and a private sector Ransomware Threat Focus Hub (RTFH)
- Raise the priority of ransomware within the intelligence community, and designate it as a national security threat
- Exerting pressure on nation-states that act as “safe-havens” for ransomware activity
See page 21 for more details.
Goal #2: Disrupt the ransomware business model and decrease criminal profits
Ransomware is overwhelmingly a financially motivated crime, and as long as the profits outweigh the risks, attacks will continue. To effectively disrupt this threat, government and industry stakeholders must work collaboratively across borders to reduce the profitability of this criminal enterprise and increase the risk of ransomware execution. Governments can take diverse actions to:
- Disrupt payment systems to make ransomware attacks less profitable;
- Disrupt the infrastructure used to facilitate attacks; and
- Disrupt ransomware actors themselves, through criminal prosecution and other tactics.
This must all be done while minimizing harm to the victims of ransomware and not interfering with their ability to recover their systems.
This section includes recommendations like:
- Require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” to comply with existing law
- Improve information sharing of ransomware indicators from victims, information sharing between cryptocurrency entities and law enforcement, and sharing of ransomware intelligence by the government
- Establish an insurance-sector consortium to share ransomware loss data and accelerate best practices
- Clarify lawful defensive measures that private-sector actors can take when countering ransomware.
- Apply strategies for combating organized crime syndicates to counter ransomware developers, criminal affiliates, and payment distribution infrastructure
See page 28 for more details.
Goal #3: Help organizations prepare for ransomware attacks
Any organization can fall victim to ransomware, creating catastrophic disruption for the organization and those it serves. Yet despite extensive press coverage and content on this topic, the threat is poorly understood by many public- and private-sector leaders, and the majority of organizations lack an appropriate level of preparedness to defend against these attacks. Even firms that have invested in cybersecurity broadly may be unaware of how to prepare for, and defend specifically against, ransomware attacks, and information available is in many cases oversimplified or excessively complicated.
The challenge is to increase awareness and build defenses that will be effective both at scale and over time as the threat evolves. To do this, governments and industry leaders need to better connect with key audiences, including both the organizational leaders who need to understand that ransomware is a real and relevant threat to their organization, and also the individuals in operational roles (such as IT and security professionals) who need guidance on how to prioritize mitigation efforts given limited resources. Support should be customized based on each organization’s current situation, including to what extent it is already appropriately informed and whether it has appropriately invested in time and resources.
This section includes recommendations like:
- Develop a clear, actionable framework for ransomware mitigation, response, and recovery.
- Run nationwide, government- backed awareness campaigns and tabletop exercises.
- Update cyber-hygiene regulations and standards
- Require local governments and managed service providers (MSPs) to adopt limited baseline security measures.
- Highlight ransomware as a priority in existing funding provisions.
- Offer local government, SLTTs, and critical NGOs conditional access to grant funding for compliance with the Ransomware Framework.
- Alleviate fines for critical infrastructure entities that align with the Ransomware Framework.
See page 35 for more details.
Goal #4: Respond to ransomware attacks more effectively
For victim organizations, a ransomware attack can be a stressful, potentially existential event. Crucial decisions about how to respond — including whether to pay the ransom — must be made under intense pressure. Facing the potential threat of losing their data permanently, organizations may make hurried decisions, particularly if they lack understanding about the ramifications of paying a ransom or the full range of alternatives open to them.
In order to improve organizations’ ability to respond to ransomware attacks more effectively, government and industry leaders should increase the resources and information available to ransomware victims. At the same time, governments should require organizations to take certain actions before paying a ransom, including reporting the payment to the government. Ultimately, increased support for ransomware victims, including improved awareness of legal requirements prior to payment, will decrease the number of organizations that feel compelled or trapped into paying ransoms.
This section includes recommendations like:
- Create ransomware emergency response authorities.
- Create a Ransomware Response Fund to support victims in refusing to make ransomware payments, and increase government support for the private sector
- Clarify United States Treasury guidance regarding ransomware payments.
- Improve incident reporting by creating a Ransomware Incident Response Network (RIRN), a standard format for reporting, and encourage incident reporting
- Require organizations and incident response entities to share ransomware payment information with a national government prior to payment.
- Require organizations to take steps before paying a ransom, including reviewing alternatives and doing a cost-benefit analysis
See page 42 for more details.