The United States hosted a group of 37 nations and 13 global companies to discuss the problem of ransomware, as well as other cybercrime.  The meeting was a follow up to last year’s Counter-Ransomware Initiative (CRI), an informal gathering where nations reaffirmed their commitment to collaborating on the escalation of ransomware operations and voice common priorities on cooperation and cyber resiliency.  Because the CRI supports the United Nations’ framework for responsible state behavior in cyberspace, it was hoped that it would lead to a establishing a set of state norms of how governments should address ransomware activities and hold those actors accountable.  The group issued a joint statement reaffirming its commitment to combatting ransomware but fell short of this goal.  Collaboration, taking the fight to ransomware actors, their infrastructures, and their payment channels, and continued information sharing underscored the take-aways from the two-day meeting.

Created in order to combat the global problem of ransomware, the CRI demonstrates the global community’s acknowledgement that ransomware is a major problem that knows no geographic boundaries.  As with many international organizations, the CRI is not legally-binding but instead relies on cooperation as a necessary foundation from which to execute disruptive operations against ransomware gangs.  Since its inception, the CRI’s efforts have led to more collaboration in taking down ransomware operations, though the successes have not offset the scope and scale of the ransomware threat ecosystem.

What’s notable about the recent meeting in Washington was the addition of private sector companies in the discussion.  In addition to some prominent companies like Microsoft and Siemens in attendance were cybersecurity companies like Crowdstrike and Mandiant suggesting a further strengthening of ties between private cybersecurity companies and governments may be on the horizon.  It will be interesting to see exactly what role they will play or if their participation is more to provide expertise in providing threat reporting on the overall threat landscape.  The fact that some global companies were present is a positive development and reinforces the need for public-private sector collaboration in addressing cyber threats.  Given the fact that private companies have been the primary targets of operators, their visibility into and experiences in dealing with ransomware is pivotal for the government to get a comprehensive understanding of the problem.  What’s more, this type of cooperation is what’s desperately needed to combat not only ransomware, but other forms of cybercrime as well.

Unsurprisingly, some prominent governments were not in attendance.  Aside from Russia, China, Iran, and North Korea are noticeably absent.  All of these countries have ties to ransomware operations some of which have been linked to state actors either to make money as in the case of North Korea, obfuscate cyber espionage as with China, or gain access into potentially sensitive critical infrastructure networks to potentially execute more disruptive attacks, as with Iran.  The exclusion of these governments may have a been intentional as a way to 1) avoid any unnecessary obstructions or pushbacks with respect to how to go after ransomware gangs, and 2) to make it clear that the participants are drawing a line between “Us” who are victims of ransomware attacks and Them” who have some level of responsibility for them.  After all, the majority of ransomware operators have some link to Russia and Eastern Europe, where it has long been believed that Moscow – and maybe some other governments – allow cybercriminals to operate as long as they don’t target Russian interests.  Approximately 75% of all money generated by ransomware in 2021 – almost USD $400 million – went to groups affiliated with Russia in some capacity, further supporting such contention.

Still, it does raise the question if more was not lost by not inviting Russia or any of the others to such a gathering, particularly due to the perception that Russia is believed to harbor and may even tacitly support its cybercrime community.  It would make sense to allow Russia to propose a solution toward combatting ransomware activity or the illicit use of cryptocurrencies that help drive it with the assistance of the 30+ participating nations present, rather than attack Moscow and put it on the defensive.  At some point, the global community will need Russia’s assistance, much like when Russian authorities arrested members of the then-prominent REvil ransomware gang in January 2022.  Perhaps that would have been a more productive way to lead such an international effort looking to codify law enforcement and legal means to address ransomware activity and groups.  Trying to move forward without Russia’s involvement risks making “Us Against Them” a de-facto policy in which Russia, or any of the aforementioned states, has no incentive to get these criminals under control.

It’s clear that ransomware is a serious threat for the foreseeable future.  In 2021, the United States said it would impose fees on entities that paid ransoms to get back their data, a measure met with pushback, especially as it seemed to punish victims as much as the aggressors.  This collaboration is a better track forward, though it should include Russia as the second meeting of the CRI did not yield anything new among the attendees. Everyone is largely on the same page with respect to the need to reduce ransomware’s footprint and disrupt the cryptocurrency ecosystem that helps fund it.  What needs to happen is crafting a way forward toward combatting it.  And that requires the bridging of differences and trust building that comes from better understanding how everyone can work together.  And that includes those governments perceived to harbor or enable their ecosystems.  Drawing a line between states on this issue threatens the continued balkanization of the Internet with governments choosing sides rather than trying to solve a problem.  If this doesn’t happen, the CRI will likely continue to have some successes but not to the degree that is needed to make a dent in ransomware, as the sophistication of the attacks increases faster than the ability to disrupt them.

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.