Skip links

US officials close to persuading allies to not pay off ransomware crooks

Top White House officials are working to secure an agreement between almost 50 countries to not pay ransom demands to cybercriminals as the international Counter Ransomware Initiative (CRI) summit gets underway in Washington DC Tuesday.

“This was a really big lift, and we’re still in the final throes of getting every last member to sign, but we’re pretty much there,” according to a senior administration official.

The no-ransom-payments pledge is expected to be one of the major success stories coming out of the US-led conference, now in its third year, that has grown to include 48 member governments from around the world.

This year’s summit will “focus on three main themes,” Anne Neuberger, US deputy national security adviser for cyber and emerging technologies, told reporters during a briefing earlier.

First up: what Neuberger called “launching capabilities.” This includes “a project to leverage artificial intelligence to analyze the blockchain to help identify illicit fund flows that are funding ransomware,” she explained. Essentially, keeping better track of cryptocurrency ransom payments so that extortionists can be tracked, identified, and snared.

Second, member governments will also increase their information-sharing capabilities via two dedicated platforms that let countries rapidly exchange threat indicators following ransomware infections. 

Lithuania will develop one such center, and a joint program between Israel and the United Arab Emirates will build the other, with the goal being for all CRI countries to share at least one piece of threat intelligence per week.

The third focus area, “fighting back,” according to Neuberger, will include the “first-ever joint Counter Ransomware Initiative policy statement declaring that member governments will not pay ransoms.” Under that pact, governments and their agencies and departments won’t cough up ransoms; this doesn’t seem to apply to private businesses.

Additionally, the US Treasury will share a “blacklist” of crypto-coin wallets being used to move ransom payments, Neuberger said. Member countries will also “pledge to assist any Counter Ransomware Initiative member with incident response if their government or lifeline sectors are hit with a ransomware attack,” she added.

Of all the 48-member countries, America holds the dubious honor of being the most-targeted country, with 46 percent of all global attacks hitting US organizations and individuals, Neuberger noted. “And as long as there’s money flowing through ransomware criminals, this is a problem that will continue to grow,” she said.

Mandiant’s chief technology officer Charles Carmakal, who attended the CRI summit on Tuesday, told The Register that banning ransom payments is “one of many steps that need to be taken to curb the multifaceted extortion problem.” But, he added, there are some things that need to happen first.

“Governments and law enforcement need to continue to bring threat actors to justice — either through arrests or public indictments,” Carmakal said.

So far this year, international cops have taken over RagnarLocker’s leak site and arrested a “key target” in that ransomware crew’s operation. Another FBI-led effort shut down Hive’s ransomware network, while also distributing 1,000 decryption keys to victims. 

And a third joint operation between CRI countries dismantled Qakbot, aka QBot, a notorious botnet and malware loader responsible for ransomware losses totaling hundreds of millions of dollars worldwide.

Carmakal wants to see more of these types of actions, and said law enforcement should “take more aggressive actions” to disrupt these criminals and their infrastructure.

The private sector has a role to play as well, commented Carmakal, and both “public and private sector can do more to notify victims when evidence of compromise is identified,” he added.

And finally, if the CRI countries do agree on a ransom-payment ban for member governments, then “governments and the private sector must work together to ensure victim organizations aren’t completely left to fend for themselves when trying to get operations back online after a ransomware incident,” Carmakal said.

“Eliminating the option for victims to pay could be difficult for those organizations that aren’t as cyber mature or ready as others.” ®