Thirty-six countries, including Canada, have agreed to work together more closely fight ransomware.
At the end of a two-day summit in Washington on Tuesday the countries involved in last year’s Counter Ransomware Initiative (CRI) agreed to create an international task force early next year to better co-ordinate their activities.
Formally called the International Counter Ransomware Task Force (ICRTF), it will initially be chaired by Australia. The goal, the countries said in a joint statement, will be to co-ordinate resilience, plan activities to disrupt ransomware groups and counter the groups’ illicit finance activities.
“ICRTF members will commit to contribute to joint work of the coalition through information and capability sharing, as well as joint action in the fields of resilience, disruption, and countering illicit finance,” the statement said.
At a closing session that was videocast, Patricia Geddes, deputy minister of Public Safety Canada, said, “as we continue efforts to mitigate the threat of ransomware, it is of vital importance that we come together in fora like these to identify where international co-operation can be a force multiplier … to make our policies and efforts more effective. We’ve had success in this space before, and I remain optimistic our collective work will show real achievements.”
The countries also agreed to
–create a fusion cell at the Regional Cyber Defense Centre (RCDC) in Lithuania to test a scaled version of the ICRTF and operationalize ransomware-related threat information-sharing commitments.
The RCDC will publish semi-annual public reports on ransomware trends and mitigation measures. It will share technical information about ransomware (tools, tactics, and procedures) with a wide spectrum of stakeholders. Data provided by participating members will be aggregated and summarized by the RCDC;
–deliver an investigators toolkit to the CRI, including lessons learned and strategies for responding to significant ransomware events and proactively tackling major cybercriminal actors; resources to build capacity to effectively disrupt the threat of ransomware; and consolidated tactics, techniques, and procedures (TTPs) and trends for key identified actors. This will allow CRI partners to benefit from the breadth of expertise and technical capability brought together under the working groups, the statement said;
–start private-sector engagement based on trusted information sharing and coordinated action to improve the countries’ joint work towards operational disruption. That includes publishing joint advisories outlining TTPs for key identified actors. “Ransomware has impacts that extend far beyond the borders of CRI partners,” the statement said. “Joint public advisories will offer warning and mitigation measures to the international community so that the global community is enabled to close vulnerabilities to these cyber criminals, amplifying our collective reach;”
–hold two counter-ransomware exercises per year to further develop, strengthen, and integrate the collective approach to combatting ransomware from resilience to deterrence. A counter-illicit finance ransomware workshop led by U.S. Treasury was held in July.;
–co-ordinate priority targets through a single framework, focused on hard and complex targets.
“We will translate these initiatives into concrete disruption results with law enforcement groups,” the countries vowed.
The two days of talks were largely held behind closed doors, except for a public closing session Tuesday where leading representatives of delegations made statements. Patricia Geddes, recently appointed associate deputy minister of Public Safety Canada after several years at the Canadian Security Intelligence Service, admitted the conference was an eye-opener.
“As someone who has deep roots in the national security and intelligence community in Canada, but with very limited access to the ransomware discussion,” she said, “I found this a profound masterclass” that will be useful in her new role. One lesson, she said, is to think “out of the box” and consider partnerships with tech companies — “and that is sometimes very difficult for old intelligence professionals to do that type of thing.”
As the conference went on, the U.S Treasury Department’s Financial Crimes Enforcement Network (FinCEN) said an analysis of ransomware attacks against U.S. financial institutions in the last six months of 2021 shows a “substantial number of ransomware attacks appear to be connected to actors in Russia.”
Roughly 75 per cent of the ransomware-related incidents reported to FinCEN during the second half of 2021 pertained to Russia-related ransomware variants, the report says.