Ransomware Task Force: Doubling Down
Ransomware Task Force
SUMMARY
In April 2021, the Ransomware Task Force (RTF) published Combating Ransomware: A Comprehensive Framework for Action (“the Report”), which outlined 48 recommendations for industry, government, and civil society to undertake in order to deter and disrupt the ransomware ecosystem, and to help entities prepare for and respond to attacks at scale. In the three years since its publication, we have continued to see governments and the private sector step up commitments to addressing this threat. However, ransomware remains a major national security threat based on its cost to the economy and impact on critical services availability. The rate and scale of attacks is not diminishing and may be growing. For the first time ever, Chainalysis reported that ransomware payments had surpassed $1 billion in 2023.
Since our May 2023 progress report, the U.S. government and its partners have intensified disruption efforts, increased information sharing, and developed more comprehensive ransomware mitigation and recovery strategies. However, of the 48 recommendations made in the Report, our assessment remains unchanged: only 24 have seen significant progress since the Report’s release in 2021.
IST’s view is that the 48 original recommendations remain relevant and important to implement to reduce the threat that ransomware poses to the United States and the global digital ecosystem. Given this assessment, this progress report focuses on the 24 recommendations that have seen little to no action since 2021, identifying how governments and industry can achieve substantial results by doubling down on these key Report recommendations.
As noted in previous progress reports, these 24 recommendations are more difficult to implement; in the United States, many would require legislative action. While governments deserve praise for the mechanisms they have put in place, our assessment is that the United States is not using them to their full extent. First, the United States and other governments have not yet allocated sufficient resources to these existing mechanisms. Second, governments have not taken all necessary further actions to combat ransomware. The Ransomware Task Force remains committed to engaging with the United States and like-minded governments, industry partners, and civil society to raise awareness and advocate for effective solutions to mitigate the dangers of ransomware.
This progress report identifies areas in need of sustained action, as well as areas in need of new or heightened progress, ultimately aiming to double down on the Ransomware Task Force recommendations.
A number of areas have seen sustained action by governments, but they must capitalize on the opportunities they already have in place in order to make substantive progress, including through leveraging existing legislation and allocating additional resources to combat the ransomware threat.
- Harmonizing Incident Reporting Mechanisms: Much headway has been made to improve incident reporting structures. The United States and other partner countries still need to capitalize on current opportunities for streamlining incident reporting in order to lessen the burden on victims and increase the efficacy of response activity.
- Expanding International Collaboration: Global collaboration continues to grow, despite significant outlier governments that are unwilling to take action against ransomware actors operating from their territory. Governments should continue to work together to share information and step up deterrence and disruption efforts.
- Reining in Ransom Payments: As debates around payment bans continue, governments need to take concrete steps to make ransomware less profitable for bad actors and less devastating for victims.
Meanwhile, in other areas that have seen little to no action, governments, civil society, and industry need to initiate new or redoubled efforts.
- Disrupting Ransomware At Scale: Coordinated law enforcement and private sector interventions are successfully disrupting ransomware operations, but need to be performed at scale for effective, long-term impact.
- Fostering Public-Private Partnerships: Governments cannot go it alone, and need to lean on industry and other partners to foster a more resilient ecosystem.
- Bolstering Resilience and Building Awareness: Organizations that follow best practice cybersecurity guidance provided by NIST, CISA, and related organizations (both in the United States and in other jurisdictions) have been able to dramatically increase their business resilience. Governments need to increase whole-of-nation awareness of these best practices and continue to make these resources easily accessible.
- Committing Financial Resources for Preparation and Response: The United States and like-minded countries need to further invest in supportive measures for critical infrastructure and SMEs to prepare for attacks and respond effectively.
Before detailing our findings below, we want to note that as far as possible, the RTF tracks government responses to ransomware around the world. To date, the U.S. government has typically been among the most transparent and communicative about steps being considered or taken to combat ransomware. This is partly cultural, but may also reflect that, according to reporting data, the United States is still the most attacked nation, and its economy experiences the greatest losses. As such, while we have attempted to incorporate geographically varied and relevant data and examples in our reporting, our primary focus is on the actions and impacts of the U.S. government and in the United States.
download pdf