Forty-eight governments pledge not to pay ransomware gangs

Forty-eight countries, including Canada and the U.S., have agreed their governments shouldn’t give in to ransomware demands.

The promise came Wednesday at the end of the third annual meeting in Washington of the International Counter Ransomware Initiative (CRI).

However, it isn’t clear what the declaration means. It doesn’t include a promise to forbid provincial, state, county, or municipal governments from paying to get access back to stolen or encrypted data. Nor does it include a promise to forbid businesses from paying.

“CRI members affirmed the importance of strong and aligned messaging discouraging paying ransomware demands and leading by example,” the group said in a statement.

CRI members also endorsed a statement that relevant institutions under their national government authority should not pay ransomware extortion demands.

CRI members also intend to implement the Financial Action Task Force Recommendation 15 on the regulation of virtual assets and related service providers, the statement says, which would help stem the illicit flow of funds and disrupt the ransomware payment ecosystem.

Meanwhile, organizations continue to be hit by ransomware. Among the latest is a shared services provider that supports a group of southwestern Ontario hospitals.

According to researchers at BlackFog, October was the third largest month for ransomware this year, with a total of 64 disclosed and 303 undisclosed attacks. Infosec teams looking for signs of compromise should note the report’s finding that 48 per cent of ransomware attacks involve the use of PowerShell.

This year, 13 new countries joined the CRI, a sign that its influence is spreading.

Much of the work it does to fight successful ransomware attacks — which seem to be on track to hit a record this year — is done behind closed doors. The group’s overall strategy is to co-operate in intelligence sharing, disrupting criminal networks and building resilience through sharing best practices. Its work includes research on cyber insurance, victim behavior, seizure and confiscation of virtual assets, and working together to curb the illicit money flow that ransomware actors rely upon.

Information sharing of threat indicators is done through several vehicles, including Lithuania’s Malware Information Sharing Platform (MISP), and Israel and the UAE’s Crystal Ball platforms.  A group website will be built and maintained by Australia, which will include a forum for members to request assistance from initiative members.

The group is also working on a project to leverage artificial intelligence to counter ransomware. It has also created a shared blacklist of digital wallets used by ransomware gangs.

This year’s meeting focused on launching capabilities to disrupt attackers and the infrastructure they use to conduct their attacks, improving cybersecurity through sharing information, and fighting back against threat groups.

The United States provides the initiative’s secretariat; Australia is the lead of its task force; Singapore and the United Kingdom are the leads of a group creating policies; and Germany and Nigeria are the leads of the diplomacy and capacity building pillars.

The new members are Albania, Colombia, Costa Rica, Egypt, Greece, Jordan, Papua New Guinea, Portugal, Rwanda, Sierra Leone, Slovakia, Uruguay, and the Interpol police co-operative.

The pledge not to pay ransoms and other initiatives “are incredible and necessary steps in the right direction,” commented Joseph Thacker, researcher at AppOmni. “North Korea, as an example, has made billions of dollars off of ransomware. This money helps sustain their country. Money is the only incentive to hack most of the companies that get targeted. I believe that by removing the financial incentive, the attacks will drop dramatically.”