The second International Counter Ransomware Initiative Summit took place last week, bringing together leaders from over 30 countries in the first in-person meeting of this nature to discuss a global response to the threat of ransomware attacks. The White House summit discussed the development of an international information sharing platform, standardized investigative toolkit and task force among other measures.
Second White House summit on ransomware introduces broad range of proposals
While the first White House summit was a Zoom meeting that was criticized by some for producing little but “platitudes,” the more recent event concluded with a broad variety of proposals for combating ransomware attacks.
One of these items is an International Counter Ransomware Task Force (ICRTF), which would give members a central system by which to share capability and intelligence for the purpose of disruption and tracking of illicit financial activity. The creation of a fusion cell at the Regional Cyber Defense Centre (RCDC) in Lithuania would be a scaled test version of the concept, with Lithuania possibly chosen due to proximity to Russia’s Kaliningrad region and direct familiarity with the area’s rampaging ransomware gangs. This entity would also publish a semiannual public report on trends in ransomware attacks and suggested mitigation measures.
On the subject of Russia, the country participated in the previous year’s summit but was not invited to this one. Tom Kellermann, CISM, Senior VP of cyber strategy at Contrast Security, who served on the Commission on Cybersecurity for President Barack Obama’s administration which worked on assessing and improving US cyber infrastructure, indicated that this is likely not just due to the Ukraine situation but also due to possible plans for further sanctions related to ransomware attacks that originate from the country: “The majority of ransomware attacks are carried out by Russian speaking cartels that have a Pax Mafioso with the Russian regime. They not only offset economic sanctions, but act as cyber militias against western targets during times of geopolitical tension. We must expand forfeiture laws to allow for greater seizures of the assets being held by cyber criminals. In addition, any exchange that does not embrace the tenants of Financial Action Task Force (FATF) and is blatantly involved in the laundering of the proceeds of cybercrime should be shut down via cyber means and their assets seized and used for critical infrastructure protection. Finally, insurers should be banned from making ransomware payments as these payments violate the sanctions imposed on Russia and North Korea.”
Another proposal from the White House summit is a standardized “investigator’s toolkit” for global use in responding to ransomware attacks by the world’s major criminal gangs. This could include the publication of tactics, techniques, and procedures dossiers for these entities that would be made available to the public.
The White House summit also called for increased cooperation between international law enforcement agencies in taking down “hard and complex targets.” This could include training measures such as biannual counter ransomware exercises, counter-illicit finance ransomware workshop (similar to one already held by the US Treasury this past July), and alignment of frameworks and guidelines to be used in inter-jurisdictional cases.
The White House summit additionally introduced measures to loop in private industry where applicable. There was talk of a “capacity-building tool” that would integrate case studies of prior ransomware attacks that involved public-private partnerships. “Increased private sector engagement” was also listed as a key objective for the coming year, though with little in the way of specifics attached to it. 13 international private sector companies were invited to the summit (including Microsoft, Siemens and a number of leading cybersecurity firms), and were asked what they are presently doing about ransomware attacks and what they believe government should be doing in partnership with them.
Jeff Williams, co-founder and CTO at Contrast Security, provided some thoughts on what these public-private efforts might look like going forward: “I understand the industry and media have become hyper-aware of ransomware and similar attacks, but I think one area of focus that should be more top of mind is the increasing amount of zero-day attacks and CVE vulnerabilities. Ransomware is usually the result of a malicious actor taking advantage of vulnerabilities, such as known CVEs. Because of this, we need to focus on the root causes of ransomware and other types of breaches. I think we need a strong public-private partnership to focus on cybersecurity transparency – particularly into the software development and supply chain processes. We need far more insight into how the software we trust with the most important things in our lives has been secured. And we need to work on eliminating entire classes of vulnerabilities from our software environments by enhancing software defenses and using technologies like Runtime Application Self Protection (RASP). Additionally, we must push back on the industry when it attempts to obfuscate visibility into weak security practices and technologies with claims that it will compromise intellectual property (it won’t) or make it easier for attackers (it doesn’t).”
The participants of the White House summit also agreed in principle to increase both diplomatic efforts with and “political costs” for countries that harbor digital criminal gangs and allow ransomware attacks to be launched from within their borders, potentially another dig at Russia.
White House summit may translate into vigorous action on ransomware attacks in the coming year
The White House summit was closed to the media save for the closing session, so specifics remain thin beyond the press releases that have been issued. The proposal outlines are ambitious, however, and could translate into significant near-term action to curb ransomware attacks if they hold up.
The administration clearly sees the need for immediate action, citing widespread ransomware attacks on schools and hospital networks throughout the world. The flow of illicit crypto appears to be another major focus, with a senior administration spokesperson touting the administration’s sanctions on Tornado Cash and indicating that the US Treasury’s Financial Action Task Force is looking to implement “Know Your Customer” rules for crypto trading.
It remains to be seen what will actually come from the White House summit, however. There was also a general agreement in principle to develop a centralized international information sharing framework and take stronger action against crypto-based money laundering, but relatively little of consequence happened; the joint international efforts are still in the planning stages, and the sanction of Tornado Cash did not come until it was found that North Korea’s state-backed hackers were on a spree of attacking blockchain bridges and using the service to wash their stolen tokens.
There was not much in the way of useful news for private industry, but Erich Kron (security awareness advocate at KnowBe4) offers some general suggestions for those still looking to improve their defenses: “Until we are able to come up with a solution to the issue, organizations should concentrate on reducing the risk of infection by focusing on the key ways that ransomware is spread, phishing attacks and remote access portals. Educating employees to be able to quickly and accurately spot and report phishing attacks and securing remote access portals with Multi-Factor Authentication (MFA) can greatly reduce the chance of initial infection. Ensuring that software vulnerabilities are patched and segmenting networks can limit the ability of malware to spread across the organization, and strong Data Loss Prevention (DLP) controls can reduce the threat of data exfiltration, taking away a key point of leverage for attackers.”