An International strategy to combat Ransomware
In 2021 the USA based Institute for Security and Technology set up a Ransomware Task Force Is this an indication of an increased threat from Ransomware or the glacially slow response of industry and government to cyber threats.
Ransomware is still a major threat to computer based systems. In July 2021 a ransom of $70 million was demanded of the cloud service provider Kaseya. A reinforcement of Kindus’ warning of the vulnerability of systems that provide services to multiple users.
The full extent of the Ransomware threat is hard to estimate as some victims will simply pay up leaving no public record of the attack. Significant sums have been paid: Colonial Pipeline paid £3.1 million in ransom in May 2021. If the cost to pay the ransom is substantially less than that to fix the issue compounded with the inevitable system downtime; payment becomes an attractive option. Unfortunately this simply funds organised crime and increases the prevalence and sophistication of future Ransomware incidents.
Cyber insurance policies have begun to offer the option to be covered against Ransomware. Ransomware insurance policies act as a preventative because the terms of payment require the insured to put measures in place to minimise their risk. They also encourage attacks because an insured target is more likely to pay when faced with a Ransomware demand.
The aim of the task force is to mitigate the threat from Ransomware. As an initial step an 81 page framework for action has been published on combatting ransomware . The framework is based around 4 linked strategies:
- Deter Ransomware attacks. This will require government level policies and international cooperation. Laws will need to be introduced and enforced. The work of investigative bodies will be coordinated. Some nations are seen as safe havens for Ransomware operatives to work out from. These nations will need to be influenced to change their policies.
- Disrupt the Ransomware business model and thereby minimise potential profits. Ransomware payments are usually through crypto currency channels. Legislation of the crypto currency models and requiring or incentivising reporting of transactions will facilitate tracking of payments and recovery of funds. The owners of the infrastructure on which the currency servers operate such as telecom providers and Internet hosting providers can work to block or reduce availability to the crypto currency servers.
- Aid organisations to prepare for Ransomware attacks. There is a need for an up to date, authoritative, easy to follow guide on how to prepare for possible Ransomware incidents. Existing on-line resources need to be better sifted and presented by search engines. Awareness campaigns and explanatory materials need to be targeted at business decision makers rather than presenting Ransomware as an issue for the security professional. Incentives and industry directives will encourage organisations to implement Ransomware precautions.
- Effectively respond to Ransomware attacks. Centralised funds could provide support to Ransomware victims. This would partly offset the cost of recovery compared to paying a ransom. Encourage sharing of information on Ransomware incidents. This would be linked to a standardised reporting format for submitting incident information. Laws (some of which are already in place) will require organisations to disclose details of incidents and ransoms paid. Victims will be required to analyse alternative recover strategies before paying any ransom.
These are all solid ideas, they are presented as outlines with a timescale for beginning action and a recommended lead body to begin action. They are all still at a very early stage of planning. The lead bodies are top level such as ‘White House’ and ‘US Department of Justice’. At present the whole plan is little more than a collection of good ideas and some fancy graphics. It can only be hoped that there will be the political will to follow it through.
At the time of writing (July 2021) the task force has published very little to help the immediate victim of Ransomware. Only one notice of concern has been published. This is a warning for users of on-premises Microsoft Exchange Server which had a vulnerability now addressed by a Microsoft patch of March 2021. Kindus’ advice is always to patch as soon as an update becomes available. If Exchange has not been patched the task force advises how to check if there has not already been an incursion on the system and how to patch the system.