The White House brought together 36 countries, and the EU, for the Second International Counter Ransomware Initiative (CRI) Summit October 31-November 1, 2022. Throughout the Summit, CRI and private sector partners discussed and developed concrete, cooperative actions to counter the spread and impact of ransomware around the globe.
Ransomware is a pocketbook issue that impacts thousands of companies and individuals every year globally. The CRI Summit is a cornerstone of the Biden-Harris Administration’s efforts to disrupt ransomware attacks and a core part of our international cybersecurity agenda. While the United States has made concerted efforts under our own national authorities and capabilities to fight the scourge of ransomware, it is a challenge that knows no borders. Through this Initiative, the Administration is taking concrete actions with our international partners to protect our citizens and businesses from cyber criminals.
Over the past year, the CRI has worked to increase the resilience of all CRI partners, disrupt cyber criminals, counter illicit finance, build private sector partnerships, and cooperate globally to address this challenge. This work was carried out under the auspices of five working groups: resilience (co-led by Lithuania and India), disruption (led by Australia), counter illicit finance (led by the UK and Singapore), public-private partnership (led by Spain), and diplomacy (led by Germany).
To further this work in the next year, the CRI will:
Establish an International Counter Ransomware Task Force (ICRTF), led by Australia as the ICRTF’s inaugural chair and coordinator, to coordinate resilience, disruption, and counter illicit finance activities in alignment with the ICRTF’s thematic pillars. ICRTF members will commit to contribute to joint work of the coalition through information and capability sharing, as well as joint action in the fields of resilience, disruption, and countering illicit finance.
Create a fusion cell at the Regional Cyber Defense Centre (RCDC) in Kaunas, led by Lithuania, to test a scaled version of the ICRTF and operationalize ransomware related threat information sharing commitments. The RCDC will publish semiannual public reports on ransomware trends and mitigation measures. Through this effort, we will share technical information about ransomware (tools, tactics, and procedures) with a wide spectrum of stakeholders. Data provided by participating members will be aggregated and summarized by the RCDC.
Deliver an investigator’s toolkit, including lessons learned and strategies for responding to significant ransomware events and proactively tackling major cybercriminal actors; resources to build capacity to effectively disrupt the threat of ransomware; and consolidated “tactics, techniques, and procedures” (TTPs) and trends for key identified actors. This will allow CRI partners to benefit from the breadth of expertise and technical capability brought together under the working groups.
Institute active and enduring private-sector engagement based on trusted information sharing and coordinated action to improve our joint work towards operational disruption.
Publish joint advisories outlining TTPs for key identified actors. Ransomware has impacts that extend far beyond the borders of CRI partners. Joint public advisories will offer warning and mitigation measures to the international community so that the global community is enabled to close vulnerabilities to these cyber criminals, amplifying our collective reach.
Coordinate priority targets through a single framework, focused on hard and complex targets. We will translate these initiatives into concrete disruption results with law enforcement groups.
Develop a capacity-building tool to help countries utilize public-private partnerships to combat ransomware. The tool will feature a series of case studies of public-private partnerships that have been used in the counter ransomware fight.
Undertake biannual counter ransomware exercises to further develop, strengthen, and integrate our collective approach to combatting ransomware from resilience to deterrence.
Through the course of the Summit, CRI partners have committed to:
Hold a second counter-illicit finance ransomware workshop to expand on the lessons learned during the first workshop led by U.S. Treasury in July 2022 and build capacity on blockchain tracing and analytics, which would include a tabletop ransomware exercise, coordinated with law enforcement.
Take joint steps to stop ransomware actors from being able to use the cryptocurrency ecosystem to garner payment. This will include sharing information about cryptocurrency “wallets” used for laundering extorted funds and the development and implementation of the international anti-money laundering/combating the financing of terrorism (AML/CFT)standards for cryptocurrency and related service providers, including “know your customer” rules to mitigate their misuse by cyber criminals.
Actively share information between the public and private sectors, including through new platforms, on actors and tradecraft. CRI members will also share information about ransomware strains on an active and enduring basis.
Pursue the development of aligned frameworks and guidelines to prevent and respond to ransomware, with particular regard to the provision of essential services and critical infrastructure. Members are also committed to mapping inter-jurisdictional issues.
Address ransomware across appropriate multilateral formats to establish broader based practices, actions, and norms around countering ransomware activity and responses. These efforts will only be as effective as their implementation. Members of the CRI will strengthen their diplomatic engagement in appropriate multilateral fora and work together to increase political costson countries that harbor and enable ransomware actors.
Coordinate our cyber capacity building programs strategically to strengthen resilience, disruption capabilities, legal frameworks, and law enforcement capacity to combat ransomware other countries.