Sick of hearing about the rising tide of ransomware attacks? So is the RTF.

The Institute for Science and Technology created the Ransomware Task Force (RTF) in December, drawing delegates from state, national and international government, law enforcement, cybersecurity insurance, security vendors, academia, think tanks, and industries likely to be disrupted by ransomware. Even before its release, the report drew interest from U.S. policymakers. In all, over 60 stakeholders announced 50 government and business strategies to take on the bad actors.

Megan Stifel, executive director for the Global Cyber Alliance, co-chair of the RTF, and former Department of Justice lawyer said, "We’ve been briefing Hill staff and other members of senior leadership across the Department of Homeland Security (DHS), the DOJ, Treasury and State. "There’s interest in what we’re recommending."

The results put the United States front and center in setting priorities and organizing international collaboration to tackle the issue.

Deter, Disrupt, Prepare, and Respond

These were the four areas in which the results were grouped, each of which had its own RTF working committee. Deter, Disrupt, Prepare, and Respond. They included dissuading – but not outright banning – organizations from paying ransoms, collapsing payment systems used to acquire ransoms, and placing global pressure on nations seen as safe harbors for ransomware actors. The report also promoted the creation of a NIST-type matrix for ransomware with the goal to provide step-by-step guidance for organizations from proactive deterrence through mitigation.

It also results in the conclusion that governments must work together and take a leadership role since there have already been years of tools, training, marketing, and advanced deterrence, yet the number of attacks and size of ransoms continue to grow exponentially.

Jen Ellis, who co-chaired the Prepare committee and works for Rapid 7, said that it was time to move beyond a belief that technological problems required purely technological solutions. "The reality is that technological solutions in and of themselves are not going to solve this. If that was the answer, the industry would have solved this problem." Bad Actors netted well over $350 million just last year – that we know of.

To Pay or Not To Pay, That is the Question

The boldest discussions centered around countries banning payment – a controversial topic on many levels on what legal right the country would have and how much they would offset in the loss and remediation that a business might need to be made whole rather than paying the ransom.

"It’s clear that a lot of the money that is collected by the ransomware actors furthers their activity and furthers the marketplace for ransomware," said James Shank, senior security evangelist at Team Cymru and organizer of an RTF background research group looking at the worst-case scenarios of ransomware. "But there’s also a sense of human compassion for the victims of this crime. And the question is, from an operational perspective, does banning ransomware payments cause undue or greater harm to the victims of these crimes than affording them the option of paying the ransom to recover their operational status quo? The group didn’t come to a consensus on how to answer that question."

The RTF report is broad, but the solutions work best in concert with each other, said Shank. And emphasizing a whole of government approach domestically and whole of world approach globally, incorporating both public and private sector action, is critical to success.

"It’s a paradigm shift," said Shank. "What you start to see is that the collective whole behaves differently than what anyone can really wrap their arms around and get control of [on their own]. And when you’re looking globally and trying to solve problems, it’s best to do that in a multi-faceted way."

The RTF framework looks to take the incentive to make ransomware payments away through a number of mechanisms: mandating any company paying ransom to publicly report doing so, establishing a fund to help reconstruct firms that don’t pay, and requiring an assessment of options before paying.

RTF sees a future with several law enforcement options, including subsidizing tips to out ransomware operations, global cooperation in the field, and using intelligence techniques to better observe criminal groups. It also looks at policy levers to make countries known to harbor ransomware criminals beyond extradition less likely to pursue that option. The 80-page report takes aim at the business of ransomware by making payments more difficult, and imposing bank-like regulation on cryptocurrency including know-your-customer laws. It also hopes to engage insurers as part of the effort to recuperate paid ransoms. In the past, insurers have been a driver of ransomware markets, often mandating payments and negotiations with criminals. The RTF report suggests that with additional training, insurers could take a more active role in procedural venues to retrieve stolen funds.

In the meantime, River Run has the tools, talent, and Security Operations Center (SOC) that protects our clients, and helps those coming to us after an attack get back on their feet as quickly as possible with our 24/7/365 Incident Response Team.



Share this article