A critical piece in defending against ransomware is data sharing - however, a new report shows that private sector organizations, governments and cryptocurrency entities still need to make progress in working together to swap information about cyber incidents.
On Friday, the Institute for Security and Technology’s Ransomware Task Force (RTF), a coalition of more than 60 industry, government and law enforcement experts, posted a progress update on the 48 recommendations they had made in 2021 aimed at disrupting the ransomware threat ecosystem.
The report showcased several wins: As of May, 92 percent of the 48 recommendations have resulted in some degree of action, with about half experiencing “significant progress” in the form of policy adoption. The RTF said that it saw increased public-private collaboration and governments working together in order to launch investigations against ransomware operators; at the same time, the U.S. government has put teeth into various cryptocurrency regulations with recent sanctions of several exchanges and mixers that were being used in ransomware attacks. And while progress has also been made on cyber incident reporting, RTF said the industry still lacks a full picture about the scope, scale and impact of ransomware attacks.
“We are encouraged to see increased data sharing between the public and private sectors and among governments,” according to the RTF report. “However, factors like incomplete cyber incident reporting indicate that we still do not have a complete understanding of the scale and scope of this threat. As the ecosystem evolves, it is critical that governments continue to collect and process incident data, work to create target decks of ransomware developers, criminal affiliates, and ransomware variants, and share information with relevant stakeholders in a timely manner.”
"As the ecosystem evolves, it is critical that governments continue to collect and process incident data, work to create target decks of ransomware developers, criminal affiliates, and ransomware variants, and share information with relevant stakeholders in a timely manner.”
Part of the challenge behind ransomware incident reporting has been the stigma that comes with companies acknowledging they were victims, as cyberattacks can lead to both reputational and legal damages. At the same time, various complex reporting guidelines by the government - that exist at the state, local and industry levels - have made the process of reporting a ransomware attack more difficult.
An increased level of reporting could help government officials and the private sector interpret whether certain steps are effective (or not) in hindering cybercriminals. For instance, a more holistic picture could help the security industry understand why companies paying ransomware demands dropped from 85 percent in the first quarter of 2019 to 37 percent in the fourth quarter of 2022. Information reported by cryptocurrency entities, government agencies and ransomware victims in the private sector may shed light on whether these figures are the result of government sanctions or if they reflect underreporting.
Strides have been made over the past years in improving cyber incident reporting. For instance, the Cyber Incident Reporting for Critical Infrastructure Act that went into effect in 2022 brought a renewed focus both on reporting requirements for critical infrastructure sectors with built-in liability protections, and also an overall effort by the governments to better improve and standardize federal incident reporting. At the same time, DoJ officials have aimed to highlight the benefits of incident reporting by praising FireEye's role in publicizing its discovery of the SolarWinds attack on its own networks as “model behavior.”
“Overall, as with last year, we remain optimistic that stakeholders will persist in the fight to combat ransomware.”
However, the RTF said that it will take awhile for the government and private sector to create a better process for sharing ransomware information, such as a standard format for ransomware incident reporting. In the meantime, the security industry needs to encourage voluntary sharing, according to the report.
The RTF cited several other roadblocks that remain in disrupting the ransomware landscape. The adoption of baseline security practices among businesses - especially small and medium-sized ones - continues to be slow. While the government can play a role in providing resources, awareness campaigns and tabletop exercises to promote the adoption of security best practices, other organizations across the industry, such as cyber insurers, can also develop incentives for businesses in improving their security. Meanwhile, other incentives, including ones to discourage ransom payments by small or medium-sized organizations hit by ransomware, can encourage businesses to make more informed decisions if they do fall victim.
The ransomware threat landscape in general has continued to evolve over the past year. The use of ransomware in data theft and extortion campaigns was down 20 percent last year as attackers instead turned to threatening data leaks rather than encrypting data, for instance. The average lifespan of ransomware strains in 2022 was also down (from 265 days in 2020 to 70 days in 2022).
“Overall, as with last year, we remain optimistic that stakeholders will persist in the fight to combat ransomware,” according to the RTF. “Progress improved significantly over the past year, and when combined with progress in the first year, these collective acts should begin to pay higher dividends in terms of reducing the impact of ransomware incidents as well as bringing additional, global stakeholders into this effort. In the coming year we expect to gain even further ground and continue to build the coalition combating ransomware.”