48 countries pledge to no longer make ransomware payments to hackers, gangs, and other criminals.
The International Counter Ransomware Initiative, or CRI, recently announced that its member nations will pledge to no longer make ransomware payments to hackers, gangs and other criminals. Members of CRI, which include all of the European Union, Israel, the Republic of Korea, Uruguay, INTERPOL and the United States, announced the unified policy as a major step in combating the growing criminal enterprise of ransomware. The announcement also detailed plans to support its members when damaged by ransomware, to strengthen efforts to track and penalize ransomware criminals, and other measures that bolster cooperation internationally across all elements of the ransomware threat.
Why now?
Ransomware groups have grown increasingly bold in their crimes and ransom demands. Montenegro, Chile, Bermuda and Costa Rice all recently suffered severe ransomware attacks that locked up critical infrastructure and, in some cases, were extorted out of millions of dollars. The U.S. government attributes economic losses related to ransomware to be about $20 billion in the year of 2021. Ransomware groups directly received almost $400 million in payments in 2021, and if that’s not shocking enough, those numbers are expected to increase to around $900 million by the end of 2023, according to Chainalysis.
Unless effective measures are implemented, the facts over the past few years show an alarming pattern: the more payments made to criminals, the more crime committed seeking those payments. CRI policies are designed to limit total payments, thereby reducing the potential for future ransomware attacks, and ultimately reduce the attractiveness of ransomware cybercrimes.
There has been recent success using this type of international pressure. For example, international law enforcement, including the FBI, taking down the ‘Hive’ ransomware group’s infrastructure, the recent end to an illicit website called the ‘Genesis Market,’ and disrupting the Qakbot botnet used for ransomware earlier this year. The CRI hopes to leverage these wins, based upon closely coordinated international cooperation, to gain even more ground against ransomware entities.
The CRI also announced a number of specific steps that will hinder and target ransomware groups, more specifically targeting the groups’ wallets.
CRI members will share a deny-list comprised of known digital wallets used by threat actors, members will utilize enhanced information-sharing platforms and deploy artificial intelligence to track ransomware payments moving through blockchain networks. They’ll also strictly regulate virtual assets and their associated service providers.
At this time, the pledge only prohibits national-level governments from making payments, leaving it unknown, or more likely determined on an individual nation-state basis, what requirements will land on provincial, state and other government entities.
What does this mean for your company?
Right now, it may mean very little. The pledge does not propose to ban private companies from making ransomware payments. In addition, many ransomware groups are believed to have links to countries such as China, Russia and North Korea, none of which are parties to CRI and who may directly support some ransomware groups. It remains to be seen what effects the CRI’s activities will have on ransomware groups with nation-state backing.
It should be noted, however, that paying a ransom payment never has a guaranteed return. Ransomware groups are profit-motivated criminals who may accept a payment and then escalate to a double or even triple extortion. Even if an initial payment is deemed sufficient by a ransomware group, it is never possible to know, with certainty, that stolen data will not be published or that a decryption key will properly work.
In addition, any entity considering a ransomware payment must be very careful not to pay anything to a digital wallet that is on a sanctions list or blacklist. Doing so may trigger investigations and substantial fines for aiding terrorist and other sanctioned groups who associate with ransomware groups.
If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national cybersecurity and data privacy team.