A task force made up of more than 60 experts spanning government, industry, education and the health and nonprofit sectors released a report Thursday that makes sweeping recommendations to the public and private sectors on combatting ransomware, which it calls a global national-security risk that can paralyze organizations like schools and hospitals while leaving sensitive information exposed to cybercriminals.
The 81-page report by Ransomware Task Force includes a detailed framework of policies and actions that the group argues could both lessen the impact of pervasive extortion malware and strengthen enforcement action against actors who are often beyond the reach of law enforcement.
“The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity,” the report reads. “Despite the gravity of their crimes, the majority of ransomware criminals operate with near-impunity, based out of jurisdictions that are unable or unwilling to bring them to justice.”
The report includes 48 recommendations, chief among them a coordinated international law-enforcement approach that discourages countries from providing safe harbor to ransomware actors, many of whom reside in places such as Eastern Europe, Russia and Iran. The report also urges the United States to embrace a whole-of-government campaign, from the White House on down, that includes joint task forces, response and recovery funds and industry-led threat-intelligence sharing.
“Unless there is a comprehensive, top-down coordinated and resourced effort put in place, operationally focused, this is just going to keep getting worse and it’s going to put lives at risk and continue to undermine the public’s faith in public institutions,” said Philip Reiner, a former National Security Council official and chief executive of the Institute for Security and Technology, which created the task force last December. “The imperative here is that governments and industry have got to prioritize this as something that has to be worked on collaboratively. “If you break pieces of this off on their own, it’s insufficient.”
‘You basically see it everywhere’
Much of the urgency, Reiner said, stems from the fact that ransomware is increasingly easy to execute as more actors adopt a software-as-a-service operation, in which criminals without much technical know-how can license a piece of malware to conduct attacks, all while the more sophisticated hackers up their own tactics. An upshot of that is that nearly every sector is experiencing more incidents, with real-world effects like delays in city services, disruptions at hospitals and lost school days for kids having to learn from home during the COVID-19 pandemic.
Just this week, the Washington, D.C., Metropolitan Police Department was threatened with the publication of more than 250 gigabytes of agency files, including arrest reports, personnel records, intelligence documents and internal memos.
“You basically see it everywhere, right?” Reiner said. “It’s beyond the pale that we have the resources we have in this country where that sort of criminal activity can happen.”
And 2020 only continued a trend of ransomware getting worse. According to the task force’s report, there were nearly 2,400 reported attacks last year targeting U.S.-based governments, educational institutions and health facilities. Victims suffered an average downtime of 21 days and needed an average 287 days to fully recover from encryption attacks.
‘Shine a light on the choke points’
The financial tolls are also racking up: U.S. victims paid $350 million in ransoms last year, a 311% increase over 2019, with an average payment of $312,493. The ransomware-recovery firm Coveware on Tuesday reported that demands continued to rise in the first quarter of this year.
To address ransomware’s finances, the task force recommends tighter regulation of cryptocurrency markets, including requiring exchanges and trading desks to comply with anti-money laundering and anti-terrorism laws. Some crypto exchanges founded or based in Asia are favored by ransomware actors for their lax regulations; a January report found that Ryuk, ransomware that’s crippled dozens of U.S. cities and states, including New Orleans, has used exchanges founded in China to move more than $150 million worth of bitcoin.
And just as in the real-world economy, ransomware appears to have an elite financial class of its own: Reiner’s task force found that 80% of all ransomware payments in 2020 went to just 199 cryptocurrency wallets, with a smaller group of 25 wallets accounting for 46% of all collections.
But the actors behind those high-earning wallets could face consequences with greater cooperation between law enforcement and the Treasury Department, the task force argues.
“You can actually very clearly shine a light on the choke points in that payment process and do something about those 199 wallets and it will vaporize those things,” Reiner said.
Some of the task force’s recommendations are already starting to take form, however. One is the creation of a cyber response and recovery fund to help victims, like state and local governments; earlier this month the White House’s proposed budget included $20 million for such a program, which is to be administered by the Cybersecurity and Infrastructure Security Agency.
The Ransomware Task Force also envisions an even greater role for CISA in helping state and local government, schools and the health sector protect themselves, like promoting membership in organizations like the Multi-State Information Sharing and Analysis Center, which offers a suite of free and low-cost security tools, and running more tabletop exercises simulating ransomware attacks. Last month, Homeland Security Secretary Alejandro Mayorkas said his department would embark on a series of 60-day “sprints” on a variety of issues, beginning with ransomware.
“I am encouraged by what we see, not only from the announcement of the sprint,” Reiner said. “That’s very indicative of the fact that they realize just what the scale and challenges is.”
And last week, the Wall Street Journal reported that the Justice Department has formed its own ransomware task force, led by Associate Deputy Attorney General John Carlin, who oversees national security and cybersecurity cases.
The Institute for Security and Technology, Reiner’s organization, plans to hold an online event Thursday on its report, featuring an address from Mayorkas.