International ransomware coalition promises to deny ransom requests.

This week during the third annual meeting of the International Counter Ransomware Initiative (CRI), dozens of world governments pledged to never to pay ransom demands levied by ransomware gangs in cyberattacks.

A voluntary international partnership.

Established by the US in 2021, the CRI, which includes forty-eight countries as well as the European Union and Interpol, is considered the largest cyber partnership in the world, TechCrunch explains. 

Governments and cybersecurity experts have long warned that ransom payments not only motivate future attacks but also offer no guarantee that stolen data will be returned. While the agreement does not ban companies from making ransom payments (a move that could inadvertently give ransomware groups increased leverage for extortion), US deputy national security advisor Anne Neuberger says the goal of the pledge is to “counter the illicit finance that underpins the ransomware ecosystem.” 

Not all members of the coalition have agreed to the pledge, but Neuberger says “we’re in the final throes of getting every last member to sign.” Details of the pledge have not yet been disclosed, and it’s unclear how member states will be held accountable or if there will be penalties for giving in to ransomware attackers. 

Emerging technologies also considered for use against ransomware.

As CyberScoop notes, this year’s CRI meeting also focused on using AI, and blockchain analysis to fight ransomware, as well as plans to share a list of blacklisted cryptocurrency wallets associated with ransomware operations. The Register adds that CRI members are also working to bolster their information-sharing capabilities, and two dedicated platforms – one developed by Lithuania and the other a joint effort from Israel and the United Arab Emirates – will allow countries to quickly share threat indicators after ransomware attacks. 

Industry experts approve of the intent, but see the question of ransom payment as a gray area.

Stephen Gates, Principal Security SME at Horizon3.ai, understands the motivation of the agreement, but thinks it may underestimate the dilemma private-sector victims may face. “Not paying criminals the ransoms they demand and following the money trail is an honorable initiative to undertake. However, non-government organizations like financial services, higher education, healthcare, manufacturing, retail, gaming, and many others have been forced to pay ransoms so they could get their operations back up and running. Their livelihoods have been at stake. The impact on commercial organizations not paying their ransoms may end up being worse than the alternative.” Availability can be essential to these organizations.

Gates continued, “Therefore, a paradigm shift in the mindset of all organizations needs to happen. That shift includes augmenting their completely defensive security approach with an offensive approach designed to actually find where they are most vulnerable to human-operated ransom-based attacks and fixing those issues before they fall victim. This preemptive security approach, using specifically designed autonomous systems, can majorly reduce the likelihood of falling victim to a targeted attack.”

And he advises organizations to assume they’ve already been breached, and work from there in what’s inevitably an ongoing process. “The first step to using these autonomous systems is assuming your defenses have already been breached. Once that happens, these systems will help you find, fix, and verify that your exploitable vulnerabilities are drastically reduced. This is not a one-and-done thing performed on an annual basis. Instead, it becomes part of your everyday, good cyber-hygiene due diligence.”

Doug Barbin, President and National Managing Principal of Schellman, also sees shades of gray in the issue. “I don’t think this is a black and white decision,” he wrote in emailed comments. “I of course don’t think that attackers should be able to make money off this, but there is more to think about than just putting money in the hacker’s pocket. Impacted organizations should always work with law enforcement to see if the criminals can be caught, the ransom be remediated, and the data be taken down. What it comes down to for me is: if I have employees and customers that are suffering because I’m unable to conduct business, I would weigh that against the cost of getting the encryption back.”