International CRI summit chalks out future roadmap for 37 governments to counter ransomware, fight adversaries

The U.S. administration brought together in-person partners from 36 countries, and the European Union (EU), for the second international Counter Ransomware Initiative (CRI) Summit this week. The CRI Summit builds on the work of last year’s summit and the work that has been happening across five different areas to shape an impactful set of discussions on how to continue to strengthen partnerships and more effectively counter ransomware threats.

The CRI Summit is a cornerstone of the Biden-Harris Administration’s efforts to disrupt ransomware attacks and a core part of the nation’s international cybersecurity agenda. While the U.S. has made concerted efforts under its national authorities and capabilities to fight the scourge of ransomware, it is a challenge that knows no borders. The latest CRI Summit focuses on the five working group themes of raising resilience, disrupting cyber criminals, countering illicit finance, building private-sector partnerships, and strengthening global cooperation to address ransomware challenges.

A group of 13 companies, including CrowdStrike and Microsoft, have also participated in the summit for the first time. Their participation will help institute active and enduring private-sector engagement over the next year, based on trusted information sharing and coordinated action to improve joint work towards operational disruption. Additionally, the CRI Summit will work on developing a capacity-building tool to help countries utilize public-private partnerships to combat ransomware. The tool will feature a series of case studies of public-private partnerships that have been used in the counter ransomware fight.

“Through this Initiative, the Administration is taking concrete actions with our international partners to protect our citizens and businesses from cyber criminals,” according to a Fact Sheet released on Tuesday by the White House. “Over the past year, the CRI has worked to increase the resilience of all CRI partners, disrupt cyber criminals, counter illicit finance, build private sector partnerships, and cooperate globally to address this challenge. This work was carried out under the auspices of five working groups: resilience (co-led by Lithuania and India), disruption (led by Australia), counter illicit finance (led by the UK and Singapore), public-private partnership (led by Spain), and diplomacy (led by Germany).”

Last year, the White House National Security Council facilitated an international counter-ransomware virtual event with over 30 countries and the European Union, to accelerate cooperation to counter ransomware. Representatives zeroed in on actions such as improving network resilience, addressing the abuse of financial mechanisms, disrupting the ransomware ecosystem, addressing safe havens for ransomware criminals, and continuing diplomatic engagement in a meeting that was conducted virtually.

“At last year’s virtual summit, we convened ministers and senior officials from over 30 countries and the EU to accelerate cooperation to counter ransomware,” a senior administration official said in a background press call, when previewing the two-day second international CRI Summit. “And over the course of the year, we did just that. Together, the CRI partners worked to increase the resilience of all the partners, disrupt cyber criminals, counter illicit finance, build private-sector partnerships, and strengthen global cooperation to address these challenges.”

To further its work over the next year, the CRI will undertake a host of measures, including establishing an International Counter Ransomware Task Force (ICRTF), led by Australia as the ICRTF’s inaugural chair and coordinator. The move will coordinate resilience, disruption, and counter illicit finance activities in alignment with the ICRTF’s thematic pillars. Furthermore, ICRTF members will commit to contribute to the joint work of the coalition through information and capability sharing, apart from joint action in the fields of resilience, disruption, and countering illicit finance.

The CRI will also create a fusion cell at the Regional Cyber Defense Centre (RCDC) in Kaunas, led by Lithuania, to test a scaled version of the ICRTF and operationalize ransomware-related threat information-sharing commitments. The RCDC will publish semiannual public reports on ransomware trends and mitigation measures. Through this effort, the partners will share technical information about ransomware (tools, tactics, and procedures) with a spectrum of stakeholders. Data provided by participating members will be aggregated and summarized by the RCDC.

The members will also deliver an investigator’s toolkit, including lessons learned and strategies for responding to significant ransomware events and proactively tackling major cybercriminal hackers. It will also provide resources to build capacity to disrupt the threat of ransomware; and consolidate TTPs (tactics, techniques, and procedures) and trends for key identified hackers. The development will allow CRI partners to benefit from the breadth of expertise and technical capability brought together under the working groups.

The CRI will also publish joint advisories outlining TTPs for key identified hackers. Ransomware has impacts that extend far beyond the borders of CRI partners. Joint public advisories will offer warning and mitigation measures to the international community so that the global community is enabled to close vulnerabilities to these cyber criminals, amplifying collective reach.

The CRI Summit further coordinates priority targets through a single framework, focused on hard and complex targets. It will also translate these initiatives into concrete disruption results with law enforcement groups. Lastly, the CRI will undertake biannual counter ransomware exercises to further develop, strengthen, and integrate a collective approach to combating ransomware from resilience to deterrence.

Through the course of the CRI Summit, partners have committed to holding a second counter-illicit finance ransomware workshop to expand on the lessons learned during the first workshop led by U.S. Treasury in July 2022 and build capacity on blockchain tracing and analytics, which would include a tabletop ransomware exercise, coordinated with law enforcement.

They will also take joint steps to stop ransomware hackers from being able to use the cryptocurrency ecosystem to garner payment. This will include sharing information about cryptocurrency ‘wallets’ used for laundering extorted funds and the development and implementation of the international anti-money laundering/combating the financing of terrorism (AML/CFT) standards for cryptocurrency and related service providers, including ‘know your customer’ rules to mitigate their misuse by cyber criminals.

Partners will also actively share information between the public and private sectors, including through new platforms, on hackers and tradecraft. CRI members will also share information about ransomware strains on an active and enduring basis. Furthermore, they will pursue the development of aligned frameworks and guidelines to prevent and respond to ransomware, with particular regard to the provision of essential services and critical infrastructure. Members are also committed to mapping inter-jurisdictional issues.

Partners will also address ransomware across appropriate multilateral formats to establish broader-based practices, actions, and norms around countering ransomware activity and responses. These efforts will only be as effective as their implementation. Members of the CRI will strengthen their diplomatic engagement in appropriate multilateral fora and work together to increase political costs on countries that harbor and enable ransomware hackers. Additionally, partners will coordinate cyber capacity-building programs strategically to strengthen resilience, disruption capabilities, legal frameworks, and law enforcement capacity to combat ransomware in other countries.

Commenting on the international CRI Summit, Bryan Ware, CEO at LookingGlass, wrote in an emailed statement that it is laudable to see so many nations come together in an attempt to set new norms and standards in cyberspace, particularly when it comes to ransomware. “However, we won’t be able to truly move the needle until we agree on standards with our adversaries regarding fair behavior in cyberspace. In times of conflict, open lines of communication and rules of engagement can prevent miscalculation, accident, and escalation.” 

Ware says that this is especially critical when it comes to non-state actors who aren’t necessarily operating on behalf of their host government. “Russia and China need to be at the table.”

“While much of the conversation about harboring ransomware actors is focused on Russia (and rightfully so as they are responsible for the majority), it is important to note that other countries, especially China, also harbor cyber criminals,” Ware said. “And the North Korean government actively partakes in cyber criminal activity to fund their nuclear program.”

Last month, the Cyber Security Agency of Singapore (CSA) announced that the government has convened an inter-agency Counter Ransomware Task Force (CRTF) to develop and make recommendations on possible policies, operational plans, and capabilities. U.S. President Joe Biden also released a proclamation on the occasion of cybersecurity awareness month to highlight the importance of safeguarding the nation’s critical infrastructure from the malicious cyber activity and protecting citizens and businesses from ransomware and other attacks. 

In September, the Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) co-chaired an initial meeting of the Joint Ransomware Task Force (JRTF) last week. The initiative will bring together existing efforts and identify new initiatives to effectively leverage the unique authorities and capabilities across the government and the private sector, including actions to protect against ransomware intrusions more effectively and to disrupt ransomware hackers.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.