The International Counter Ransomware Initiative conference has produced a pledge by 40 countries to refuse ransomware payments going forward, including the United States and EU members.
The pledge appears to only apply to government entities. Compelling private companies to stop making ransomware payments would be a very sudden policy shift for many of these countries. Other pledge signatories include Australia, Canada, India, Israel, Japan, and Singapore.
Government refusal of ransomware payments most likely to impact cities and counties
National governments often already have a “do not negotiate” policy for these situations, so in some ways this is little more than a reiteration of existing terms. This could strongly impact more local (county and city) governments if they are required to comply, however. Numerous localities across the world have opted to pay off ransomware attackers, including a number in the United States (where municipalities often have badly underfunded IT programs and may not even have dedicated full-time staff).
The US receives nearly half of the world’s ransomware attacks, and it does not appear that this pledge involves compelling private entities to refuse ransomware payments. The government policy thus far has been to recommend against them, but to allow them with the notification and involvement of the FBI and other relevant law enforcement agencies. The recent case of Las Vegas casino rivals Caesars and MGM illustrates the potential cost difference, and why companies continue to make ransomware payments: Caesars was able to negotiate down to a $15 million payment and experience virtually no business interruption, while MGM saw its properties thrown into chaos for weeks and is expected to spend at least $100 million in recovery.
The International Counter Ransomware Initiative is an annual event (now in its third year) and has established other cooperative programs and pledges, such as an agreement to improve sharing of information about the cryptocurrency accounts used to receive ransomware payments. Two different platforms will be created for centralizing this information, one by Israel and the UAE and the other by Lithuania.
The conference participants also agreed to make use of a U.S. Department of Treasury blacklist of digital wallets known to receive ransomware payments. Spokespersons for the White House indicated that all of these efforts are the initial steps of a broader and longer-term push to dismantle the financial systems used to facilitate ransomware payments, though there is not yet much indication what the advanced stages of such an effort would look like.
AI scanning also discussed, no word on new law enforcement measures
The conference also discussed the possibility of applying AI analysis to the blockchain to better track the movement of ransomware payments. Law enforcement action to break up groups and make arrests was not specifically addressed, however, though it has been occurring with increasing frequency in recent years.
Joseph Thacker, researcher at AppOmni, notes that the plan to use AI is extremely general at this point and much more detail will be needed to determine if it would actually assist in curbing ransomware payments: “The feasibility of using AI to monitor the blockchain largely depends on the specifics of what is developed and deployed. It’s in the zeitgeist to use AI everywhere. If they are just throwing the data at an LLM and hoping it finds interesting or illicit transactions, I doubt that will be fruitful. If this is built on some previous work in the machine learning space, such as the systems which help detect credit card fraud, then the system is likely pretty mature and might have some promise.”
“At the moment, there are many people who are skilled at tracking crypto payments both in the public and private sector. It wouldn’t surprise me if it’s quite possible to trace the money,” added Thacker.
Ransomware gangs have shown increasing interest in government agencies in recent years, but in the US and EU (which field about 80% of all attacks each year) this is usually in the form of an inadequately defended or prepared local government. Smaller countries in Latin America have seen ransomware wreak havoc at a national government level, however, namely Costa Rica and Chile. Costa Rica spent much of 2022 recovering from a devastating attack by the now-defunct Conti group, which initially demanded a $10 million ransom; the incident ended up costing an estimated $30 million per day as 30 government agencies were impacted, and it was followed up by an attack from the Hive ransomware group on the country’s social security fund. Chile saw an attack on several government agencies in September of that year, attributed to the RedAlert group. The non-Eurozone Montenegro also saw a devastating attack on national agencies around this time, and Bermuda was hit with a similar attack last month.
The focus on tracking ransomware payments may also be in response to an emerging trend of these criminal gangs simply dropping their ransomware. The Cl0p group recently did this with its months-long exploitation of the MOVEit breach, profiting to the tune of tens of millions of dollars by quietly stealing data first and then notifying victims of intent to publish it to the clearweb without ever encrypting their servers. In addition to the stealth element and improved ability to dwell for extended periods in victim ecosystems, attackers may also be dumping ransomware in response to organizations tending to be better-prepared with backups that cannot be corrupted (as well as insurers increasingly refusing to cover ransomware payments).