Global Task Force Seeks To Curb the Ransomware Menace, Here’s What They’re Proposing


Global Ransomware Task Force (RTF) consisting of members from Microsoft, Cisco, AWS among others puts forward a broad set of recommendations to tackle ransomware attacks. The RTF outlines four key areas of action under the extensive framework to alleviate the ransomware threat.

Months after the launch of a comprehensive Ransomware Task Force late in December 2020, the coalition has come up with a new framework for combating the menace that is a ransomware attack. Last week, experts from a host of industries came together for an online event to present the framework, a set of recommendations to enable organizations to mitigate the ransomware threat.

The framework is a guide of sorts, for public as well as private entities engaged in any type of online activity, to steer clear of any possibility of falling victim to one of the most popular types of attack vectors. And in case they do, the 81-page frameworkOpens a new window provides a plan of action to minimize the impact.

Dubbed ‘Combating Ransomware: A Comprehensive Framework for Action’, the guideline was submitted to the president of the United States in a bid to garner the backing of the U.S. government. The RTF’s motive is to do away with a lax attitude toward ransomware attacks and escalate the threat to national security levels.

See Also: Is Ransomware the New ‘Snow Day?’ How Attacks Have Impacted Schools, Governments, and Enterprises

Ransomware Over the Years

Ransomware is a type of a malware that is designed to encrypt data within a computer system, or a network upon initial infection. What follows is a ransom demand, usually money that cannot be traced back to the attacker, such as cryptocurrency.

Encrypted files are usually impossible to crack without a key, which is only released upon successful completion of the payment. And if the victims do not have a contingency plan for data recovery, they have no other choice but to pay up lest they would want the data to be lost, or worse, publicly leaked.

Ransomware attacks have been taking place since the late 1980’s when the first documented attackOpens a new window took place against AIDS researchers in 1989. Called the AIDS Trojan of PC Cyborg, the ransomware strain was propagated over 20,000 floppy disks. They have continued to grow ever since but remained largely limited and insubstantial until mid or even late 2000’s.

The real spurt in ransomware attacks came after the 2010’s with a surge in the number of internet-facing systems. This is also the period when the perpetrators started accepting payments through electronic means.

Attackers used to develop their own strains but in recent years, threat actors have developed a business model called ransomware-as-a-service (RaaS) surrounding the attack vector. What happens is that the developers of a ransomware strain lease it out to certain affiliates who then use them to carry out an attack.

Depending on the deal between the ransomware developer, and the affiliate, the latter usually pays a fee for using the strain or may allocate a part of the proceeds from the attack. The worrying thing about RaaS is that the affiliate need not be a developer or have any specialized coding knowledge to attack victims.

Marisa MidlerOpens a new window , Member of Technical Staff at Software Engineering Institute at Carnegie Mellon University noted in a blog post, “With RaaS, ransomware is no longer limited to the developers who create it. Ransomware developers now sell their product to ransomware affiliates who use it to extort organizations. RaaS decreases the risk for ransomware developers since they do not have to execute attacks.”

Opens a new window

RaaS | Source: Marisa Midler

She adds, “For ransomware developers, RaaS can be as profitable as direct ransom payments since both developers and affiliates get a percentage of the paid ransoms, and the ransomware is affecting more targets and occurring more often.”

And if that’s not enough, ransomware operators are now using something being termed as double-attack and extortion, wherein attackers steal the data through exfiltration, before they encrypt it. Thus, even if the victim restores the data from backups and then refuses to pay the ransom, they are threatened with public exposure of the data.

The internet’s rapid rate of growth in terms of people and devices (including IoT) will ensure there’s always someone or something that can be targeted. Threat actors target individuals on computers and smartphones, as well as organizations to milk out cash from the despondency of the victims that lead to operational losses due to system and service downtime. So organizations may not have the luxury of waiting it out.

That’s why a lot of organizations secretly pay the attackers without any real assurance that the data will be safely handed back. And even if it is, there’s no way of knowing whether or not the attackers kept a copy for any further malicious activities. Security company SophosOpens a new window found that only 8% of victims that pay a ransom get back all their data.

See Also: 5 Reasons Why Your Business Should Have a Ransomware Plan in 2021

The Most Prevalent Ransomware Today

According to threat analysts at IBM Security X-Force Incident Response, one in four cyber incidents is a ransomware attack. The graph below details the most active ransomware gangs in 2020:

Number of Victim Organizations Globally by Ransomware Family That Had Their Data Published on Leak Sites | Source: Palo Alto Networks Unit 42

Thankfully, NetWalker operations were disrupted in January this year in an international operation spearheaded by the FBI. Before its takedown, NetWalker managed to amass over $46 millionOpens a new window in revenue from malicious operations.

Ryuk ransomware, which has caused enough damage worldwide to earn the tag of the cyber world’s most fearsome ransomware had, by January 2021, netted $150 million through ransomware payments through attacks on over 140 organizations.

REvil/Sodinokibi ransomware wreaked havocOpens a new window in the systems of one of Apple’s vendors based in Taiwan. This particular attack was peculiar since REvil demanded Apple to pay for the stolen data when Quanta (the vendor) refused to pay. IBM Security X-Force also revealed that REvil was behind almost one in three (29%) ransomware attacks in 2020, with $81 million earned in 2020 alone. REvil, which operates under a RaaS model, came into existence only in 2019.

Ransomware attacks also peaked in 2020, primarily because of the COVID-19 pandemic. “Ransomware did everything but slowdown in 2020, largely due to COVID-19 phishing lures, with several notable attacks from healthcare to municipalities to education,” according to the 2020’s Nastiest Malware report by Webroot.

Healthcare was the first sector targeted in the first ransomware attack, and it continues to remain one of the most targeted sectors, even amidst the pandemic. An attack on a German hospital even caused shutdown of lifesaving equipment leaving one dead, thus marking the first death due to a ransomware attack.

The most targeted industries were:

Ransomware Incident Response Cases by Industry (US, Canada, and Europe) | Source: Palo Alto Networks Unit 42

Palo Alto Networks’ threat intelligence arm Unit 42 and The Crypsis Group also noted that the average ransomware payout rose to $312,000 in 2020, a 171% increase from $115,000.

Ransomware Task Force

In March, Natalie Page, Threat Intelligence Analyst at Talion wrote for Toolbox and summarized the effect of ransomware attacks in 2020. “2020 was the year of the ransomware pandemic. There was a huge influx in attacks, which showed the security industry that ransomware criminals showed no mercy and were hitting organizations when and where it hurt the most,” she said. “The bad news is that most security experts believe 2020 was just a trailer for what is yet to come. So, what is the most effective vaccine to mitigate this ransomware pandemic?”

Well, the Ransomware Task Force, a coalition of 60+ experts from several organizations has set out to change the game and thwart ransomware attack attempts. The RTF comprises members from multiple sectors like software companies, government agencies, cybersecurity vendors, financial services companies, nonprofits, and academics. Some of these include Palo Alto Networks, Global Cyber Alliance, Microsoft, Cisco, Rapid7, AWS, Chainalysis, Citrix, McAfee, Deloitte, Ernst & Young, and others.

Philip Reiner, IST CEO and Executive Director of the RTF, “We felt an urgent need to bring together world-class experts across all relevant sectors to create a ransomware framework that government and industry can pursue, and ensure the continued faith of the general public in its institutions.”

See Also: Does REvil’s Ransomware Attack on Apple Signal a New Chapter in Cyber Extortion?

What is the RTF Framework for Ransomware?

Recommendations outlined in the framework were aimed primarily at the U.S. government to take the lead in tackling the threat from ransomware, since it has become too large for any since entity to take on by itself. As such, a U.S.-led global coordinated initiative is the need of the hour.

Some of the recommendations include encouraging victim organizations to report such crimes to relevant authorities. The RTF also contemplated outlawing ransomware payments, which is a tad disconcerting since the U.S. Department of Treasury is considering imposing hefty finesOpens a new window for those who pay ransomware gangs.

But the RTF concluded that organizations and the government as a whole aren’t ready for this, citing the likelihood of even more attacks as one of the reasons.

The framework also emphasizes on organizational preparedness and proactive campaigns for public awareness.

As part of the framework, some of the other important suggestions made by RTF are:

  • Establish an Interagency Working Group between federal agencies
  • Public-private partnership to facilitate coordination
  • Designate ransomware as a national security threat
  • Establish a ransomware response network
  • Encourage and incentivize voluntary info sharing
  • Standardize ransomware reporting
  • Exert international pressure on complicit countries
  • Incentivize cooperation
  • Bring crypto under the purview of law enforcement
  • Centralize expertise in cryptocurrency seizure

It is unclear how IST-led Ransomware Task Force will collaborate with the recently created task force by the U.S. Department of Justice.

Joseph CarsonOpens a new window , chief security scientist and advisory CISO at Thycotic told SecurityBoulevardOpens a new window , “The price you pay for not being prepared is on the rise. It only takes one employee with local admin privileges clicking on a malicious email attachment to take down an entire company.”

Wrapping Up

Ransomware operators became richer, greedier, not to mention technologically advanced, thanks to increased spending on research and development. For instance, Ryuk ransomware developed wormable capabilities earlier this year, which means it can self-propagate across networks. It wouldn’t be a surprise if more variants of either Ryuk, which itself is a variant of the Conti ransomware, pop up on the cyber sphere.

Additionally, the pandemic is not over yet, so there’s a lot of scope for attacks on an unprepared, ill-equipped market. Security tools can help to a certain extent, and that too against known variants. Consequently, individual-level awareness combined with a sustained global initiative such as RTF could really contain, if not thwart the perils of ransomware attacks.

Bottom line, we need to redraw the line of defense against ransomware.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!