The CRI was created to counter the rise in ransomware threats and activity. A ransomware attack is distinct from other cyberattacks because the hacker will encrypt the organization’s data, and then demand payment in exchange for releasing the data back to them unencrypted. In some scenarios, the ransomware attackers will also threaten to not only retain the encrypted data but also to release sensitive data to the public if the ransom is not paid.
In the United States, ransomware victims paid $1.5 billion in ransoms from May 2022 to June 2023. U.S. organizations also continue to be a top target; Americans are hit by 46% of global cyberattacks, according to Anne Neuberger, the U.S. Deputy National Security Advisor.
On November 1, all members of the CRI endorsed a pledge against government-paid ransoms in relation to ransomware attacks. However, the pledge does not prohibit payments outright; instead, the pledge allows governments to make individual case-by-case decisions on whether to allow a ransom to be paid and how the exceptions for emergencies might apply. Emergencies might include ransomware attacks on specific entities, like hospitals where patient health is at immediate risk. To achieve the goals of the joint policy statement, the CRI is going to create, through the U.S. Department of Treasury’s pledge to share data on illicit wallets, a blacklist of digital wallets used to carry out ransomware activities.
The pledge is also limited to government institutions; in the United States, the pledge only extends to federal agency activity and exempts state and local jurisdictions. Businesses can continue to make decisions regarding payment based on their own cost-benefit analysis during the ransomware event. However, even without explicit language prohibiting payments, the statement supported by the 48 countries sends a clear message to malicious actors that they should not expect governments to acquiesce to their demands.
In addition to the pledge, the CRI is taking several actions to increase collaboration between the members. As announced during the third annual meeting, two new information sharing platforms will be launched in the near future. The first is the Malware Information Sharing Platform crafted by Lithuania. The second is the Crystal Ball, an information sharing platform with databases, virtual coordination platforms and contact lists, created as a joint project between Israel and the UAE. These platforms will enable members to share details about ransomware attacks, suspected bad actors, ongoing investigation developments, etc., to assist in the collective efforts to stop an attack before the victim is extorted. CRI hopes that members will share on average one piece of information each week on the platforms to keep information flowing.
Other results of the third annual summit included the launch of a project that will leverage artificial intelligence to analyze block chain data and counter ransomware programming. In addition to the pledge on payments, several members also committed to “assist any CRI member with incident response if their government or lifeline sectors are hit with a ransomware attack.” Finally, new CRI members will be offered mentorship and tactical training program opportunities to build out their cyber capacity.
Over the next year, the CRI plans to continue to onboard new members, better understand the financial model of ransomware attacks and share information to build their national counter-ransomware capacity.
The work of the CRI will build on and supplement other ransomware-focused activities within the United States. For example, the Joint Ransomware Task Force is an interagency body that coordinates federal tools to address ransomware attacks by developing best practices, conducting investigations, providing guidance and sharing information. The task force is co-chaired by the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. The task force has created and updated a “one-stop resource” to help entities protect their facilities, personnel and customers from ransomware threats through the #StopRansomware Guide. We expect that the task force will continue to update the guidance it provides to U.S. entities and that it may incorporate lessons learned from the CRI.
Pillsbury’s Cybersecurity Capabilities
Pillsbury’s multidisciplinary team of cybersecurity lawyers provides clients with strategic counseling to boards, financial institutions, management teams and various regulated entities on a broad range of cybersecurity issues and strategies. Our team stands ready to help you leverage existing federal and state cyber resources and learn how to better protect systems from ransomware attacks and cyberattacks. To reach a member of the team with questions or concerns, please contact any author of this alert.