Released in April 2021, the Ransomware Task Force (RTF) report, Combating Ransomware, is a cornerstone document that provides actionable recommendations for tackling cybercrime across four phases: Deter, Detect, Prepare, and Respond. With participation across government, industry, and civil society, RTF outputs have informed U.S. and international policymaking and have served as a blueprint for private sector actors aiming to protect themselves from transnational criminal organizations.
As we mark the fifth anniversary of the release of the RTF report and its 48 recommendations, IST’s cyber experts took time to reflect on each of the 4 phases, note where they’ve seen improvements since 2021, and track where progress has slowed–or even taken a step back.
Reflections from the IST Team
Pillar #1: Deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy
Q: What has changed in the ransomware policy ecosystem around the Deter pillar?
“We have seen growing recognition of ransomware as a national security challenge, driven in part by high-impact attacks on critical infrastructure. This has contributed to increased attention and a greater emphasis on coordinated, cross-border approaches, alongside emerging national-level efforts that signal ransomware as a policy priority. For example, the UK held consultations in 2025 on reducing ransomware payments and increasing incident reporting, and Australia has introduced measures requiring the reporting of ransomware and cyber extortion payments.”
Q: Where has IST’s work had a direct impact in the last 5 years?
“In the April 2021 report, IST put forward a recommendation to establish an international coalition to combat ransomware. Soon after, the international Counter Ransomware Initiative (CRI) was launched, reflecting growing alignment around the need for multilateral action. Over the past five years, IST has contributed to this effort—serving as an inaugural member of the CRI’s Private Sector Advisory Panel, publishing research on public-private partnerships, and convening a tabletop exercise focused on incident response and collaboration that brought together CRI member states and industry stakeholders from across multiple regions.”
Q: What is one action item from Combating Ransomware you want to see addressed further?
“One action item that warrants further attention is reducing safe havens for ransomware actors. There are two kinds of safe havens: safe havens where governments have the desire to combat crime but limited capacity; and places where governments choose to tolerate these criminals. Addressing these safe havens will require sustained investment in capacity-building, alongside well-articulated incentives for global cooperation and an effort to impose consequences on those governments who turn a blind eye to malicious actors.”
– Gigi Flores Bustamante
Pillar #2: Disrupt the ransomware business model and decrease criminal profits
Q: What has changed in the ransomware policy ecosystem around the Disrupt pillar?
“We’ve seen law enforcement from jurisdictions across the globe take an ecosystem approach to ransomware crime, collaborating actively between countries and continents and tackling these gangs in a systematic way. Efforts like Operation Cronos and Operation Checkmate show that when governments work together, they can have an impact on the gangs that make this crime happen.”
Q: Where has IST’s work had a direct impact in the last 5 years?
“Thanks to incredible partnership with Europol, the Royal Canadian Mounted Police, and law enforcement and private sector folks from multiple jurisdictions, we’ve convened two law enforcement focused table top exercises in collaboration with Europol that have dug into the roadblocks to effective collaboration between industry and law enforcement.”
Q: What is one action item from Combating Ransomware you want to see addressed further?
“While many governments have made significant progress in addressing the money laundering that fuels ransomware crimes, failures to apply anti-money laundering and know your customer regulations to cryptocurrencies has continued to make ransomware profitable for criminals. I’d love to see all countries fully compliant with the guidance on virtual assets from the Financial Action Task Force. As FATF staff noted in their 2025 update on implementation, ‘regulatory failures in one jurisdiction can have global consequences.'”
– Elizabeth Vish
Pillars #3 & 4: Help organizations prepare for ransomware attacks and Respond to ransomware attacks more effectively
Q: What has changed in the ransomware policy ecosystem around the Prepare and Respond pillars?
“In the United States, the number of victims paying a ransom demand has fallen to a new low of about 25%, according to Coveware. That’s a notable decrease from 2021. Improved hygiene measures, including viable backups, are among the reasons cited for this decline. While in the near term this is a positive development, we remain cognizant that attackers adapt to our strategies. They are already leveraging artificial intelligence to analyze their victims’ data, which makes their payment demands harder to reject.”
Q: Where has IST’s work had a direct impact in the last 5 years?
“The RTF influenced legislation in the United States and around the world. With respect to the Prepare and Respond pillars, the 2021 Bipartisan Infrastructure Law established the State and Local Cybersecurity Grant Program (SLCGP) and the Cyber Response and Recovery Fund, which are consistent with the RTF recommendation to make resources available especially to local governments to help organizations prepare for and recover from ransomware incidents. In addition, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) aligned with the RTF recommendation to require reporting of ransomware payments.”
Q: What is one action item from Combating Ransomware you want to see addressed further?
“CIRCIA and the SLCGP have the potential to improve responses to ransomware—helping authorities follow the money, improve overall information about the state of ransomware, and support organizations in their preparation and recovery—but the use of these authorities remains stalled. We’d like to see the administration finalize the CIRCIA rulemaking and Congressional appropriators fund the SLCGP.”
– Megan Stifel
