Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/30/2021
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Task Force Publishes Framework to Fight Global Threat

An 81-page report details how ransomware has evolved, along with recommendations on how to deter attacks and disrupt its business model.

The Ransomware Task Force (RTF) this week published a report detailing recommendations to fight back against the operators and infrastructure that drive ransomware, which its team of experts describes as a "serious national security threat" and "public health and safety concern."

More than 60 people from software companies, security vendors, government agencies, nonprofits, and academic institutions teamed up with the Institute for Security and Technology (IST) to create the RTF, which launched last December. Participants include Microsoft, McAfee, Rapid7, Amazon, Cisco, the Cyber Threat Alliance, the Global Cyber Alliance, US Department of Justice, Europol, and the UK's National Crime Agency, among many others.

Related Content:

Ransomware Recovery Costs Near $2M

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Ghost Town Security: What Threats Lurk in Abandoned Offices?

In their 81-page report, "A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force," experts share proposed guidance to deter ransomware attacks, disrupt its business model, help organizations prepare, and better respond to the global threat.

While other threats, such as business email compromise, also cause tremendous losses for businesses each year, RTF is focusing on ransomware because of its massive impact.

"One of the concerns we have is the scope and scale of ransomware," says Megan Stifel, executive director for the Americas at the Global Cyber Alliance and co-chair of the RTF. "It's holding parts of the ecosystem and the economy at risk, particularly aspects of critical infrastructure, that can give rise to a range of cascading consequences that in some cases individually, or certainly collectively, can create a significant national security problem."

RTF's framework arrives as ransomware attackers continue to evolve their strategies. Ransomware targeted the healthcare industry during a global pandemic and has shut down schools, hospitals, police stations, city governments, and US military facilities, its report points out.

"The professionalism of the affiliates, and focusing on their ability to attack organizations, is probably the biggest challenge," says Raj Samani, fellow and chief scientist at McAfee, of fighting ransomware. "This has supported the big-game hunting strategy and ultimately the ability to get into organizations and disrupt operations or steal data, [which] has given threat actors the ability to demand a lot more than ever before."

The framework outlines 48 actions government and industry leaders can take to disrupt the ransomware business model and mitigate the impact of attacks. While there have been many reports on the growing ransomware threat and widespread recommendations on how to fight it, many organizations struggle to adopt them. The idea behind this framework is to create a more comprehensive, all-hands-on-deck approach to dismantling the ransomware threat.

Some of the RTF's recommendations are listed as higher priority, though it advises viewing them together as a whole. At the top of its list is the suggestion for a coordinated, law enforcement effort to prioritize ransomware through a strategy that includes the use of "a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals," the RTF says in the framework.

"The first priority really does need to be this public pronouncement that ransomware is a serious national security threat, and that governments will work together with the private sector and other stakeholders in reducing its impact through a range of actions, including this idea of enhanced information sharing to support intelligence and enforcement," says Stifel.

There is room for improvement in how this is done, she adds. 

"The ability for the government to ingest information around ransomware needs to improve, but also the ability for industry to share information around ransomware is in significant need of enhancement," Stifel says.

The RTF's second recommendation suggests the US launch an "intelligence-driven anti-ransomware campaign, coordinated by the White House." This must include an Interagency Working Group led by the National Security Council, an internal US government joint ransomware task force, and a private, industry-led informal Ransomware Threat Focus Hub.

Its third prioritized recommendation suggests governments create a cyber response and recovery fund to support ransomware response and other security efforts, mandate victims report ransom payments, and require them to consider alternatives before paying ransom.

Payments were a tricky subject to navigate in the creation of the framework, and Stifel notes the RTF couldn't come to a consensus on whether to prohibit payments. Participants agreed that while paying ransom is detrimental in many ways, there are challenges in barring payments altogether. Doing so "would really put victims in a very hard spot," Stifel adds.

The framework also suggests closer regulation of the cryptocurrency sector and states governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter trading to comply with existing laws, such as Know Your Customer, Anti-Money Laundering, and Combatting Financing of Terrorism.

Ransomware is a rapidly evolving threat, and criminals continue to hone their skills and tactics to successfully extort businesses. McAfee's Samani will elaborate more on this topic and how these changes have influenced the distribution of ransomware in an upcoming RSA Conference session entitled "Ransomware: New Recipe For An Old Dish."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26543
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
CVE-2021-27216
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
CVE-2021-29490
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
CVE-2021-29491
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
CVE-2021-29921
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...