Open Forum #48 The International Counter Ransomware Initiative

Summary

This discussion focused on the global threat of ransomware and efforts to combat it through the Counter Ransomware Initiative (CRI). Panelists defined ransomware as a form of cybercrime where attackers encrypt victims’ data and demand payment for its release. They noted its evolution from simple encryption to more complex extortion tactics, highlighting its increasing frequency, scope, and severity worldwide.

The CRI, launched in 2021, was described as a coalition of nearly 70 countries working to build collective resilience against ransomware. Key benefits for member countries include capacity building, enhanced information sharing platforms, and strengthened computer emergency response teams. The initiative operates through four main pillars: the International Counter-Ransomware Task Force, policy development, diplomacy and capacity building, and public-private partnerships.

Panelists emphasized the importance of public-private collaboration in addressing ransomware, noting that private sector entities often detect threats before governments and own critical infrastructure frequently targeted by attacks. The role of cyber insurance in countering ransomware was discussed, with panelists highlighting its potential to improve cybersecurity resilience and assist in incident response.

The discussion also touched on the increasing vulnerability of emerging markets and developing countries to ransomware attacks. Panelists stressed the importance of international cooperation and proactive preparation to combat this threat effectively. They concluded by emphasizing that no country is immune to ransomware and that a collective, global effort is necessary to address this persistent cybersecurity challenge.

Keypoints

Major discussion points:

– Definition and current state of ransomware as a global threat

– Overview of the Counter Ransomware Initiative (CRI) and its activities

– Benefits of CRI membership for countries

– Public-private sector collaboration to combat ransomware

– Role of cyber insurance in countering ransomware attacks

The overall purpose of the discussion was to provide an overview of the ransomware threat landscape and explain how the Counter Ransomware Initiative is working to combat this global challenge through international cooperation and public-private partnerships.

The tone of the discussion was informative and collaborative. The speakers aimed to educate the audience about ransomware and the CRI’s efforts while emphasizing the importance of countries and organizations working together to address this shared threat. The tone remained consistent throughout, with speakers building on each other’s points in a constructive manner.

Speakers

– Jennifer Bachus: Moderator, Number two in the State Department Cyberspace and Digital Policy Bureau

– Elizabeth Vish: Senior Director of International Cyber Engagement at the Institute for Security and Technology, member of the CRI Public-Private Sector Advisory Panel

– Dan Haney: Head of Incident Handling Department at Nigeria’s Computer Incident Response Team, Coordinator of the Diplomacy and Capacity Building Track of the Counter Ransomware Initiative

– Audience: Attendees asking questions

Additional speakers:

– Niles Steinhoff: Cyber Foreign Policy and Cybersecurity Coordination Division at the German Federal Foreign Office

Ransomware: A Global Threat and Collaborative Response

This discussion focused on the global threat of ransomware and efforts to combat it through the Counter Ransomware Initiative (CRI). The panel, moderated by Jennifer Bachus from the U.S. State Department, included experts Elizabeth Vish from the Institute for Security and Technology, Daniel Onyanyai from Nigeria’s Computer Incident Response Team, and Nils Steinhoff from the German Federal Foreign Office.

Understanding Ransomware

Ransomware was defined as a form of cybercrime where attackers encrypt victims’ data and demand payment for its release. The panelists noted its evolution from simple encryption to more complex extortion tactics, highlighting its increasing frequency, scope, and severity worldwide. Nils Steinhoff provided insight into the professionalisation of ransomware, describing it as “cybercrime as a service” with specialised vendors along the criminal supply chain.

Elizabeth Vish emphasised a significant shift in ransomware targeting, noting a “substantial growth in ransomware attacks in emerging markets” over the past two years. This expansion to developing countries and economies with fewer cybersecurity resources has heightened the global nature of the threat. Vish also briefly touched on the potential impact of artificial intelligence on future ransomware attacks.

The Counter Ransomware Initiative (CRI)

The CRI, launched in 2021, was described as a coalition of nearly 70 countries working to build collective resilience against ransomware. Daniel Onyanyai explained that the CRI “aims to build global resilience, bringing together countries to build global resilience, and also to offer support to member countries in case they are hit by ransomware.”

Key benefits for member countries include:

1. Capacity building

2. Enhanced information sharing platforms

3. Strengthened computer emergency response teams

The initiative operates through four main pillars:

1. The International Counter-Ransomware Task Force

2. Policy development

3. Diplomacy and capacity building

4. Public-private partnerships

CRI Membership and Information Sharing

Nils Steinhoff outlined the CRI membership process:

1. Interested governments write a letter of intent to the co-chairs of the Diplomacy and Capacity Building Pillar

2. A 14-day silence procedure allows members to object

3. If no objection is raised, the country becomes a member

Onyanyai highlighted that CRI members can request urgent assistance through established platforms, with technical teams from member countries providing support during ransomware incidents. He also mentioned specific information-sharing platforms developed by CRI members:

– Malware information sharing platform (Lithuania)

– Crystal Ball platform (UAE and Israel)

– CRI Portal (Australia)

Additionally, Onyanyai noted the mentorship aspect of CRI, where more advanced countries can mentor less advanced ones in handling ransomware threats. Information about member countries can be found on the CRI website (kamtaransomware.org).

CRI Stance on Ransom Payments

Onyanyai explained the CRI’s position on ransom payments:

– The CRI has a “no pay” policy for ransomware

– Most member countries endorse this statement, but it’s non-binding

– Individual countries may have their own policies on ransom payments

Public-Private Collaboration

Panelists emphasised the importance of public-private collaboration in addressing ransomware. Elizabeth Vish articulated the private sector’s willingness to collaborate, stating, “The private sector really does want to collaborate with mutual respect with the public sector… They want to work with governments and they specifically want to work with the CRI.”

Private sector entities often detect threats before governments and own critical infrastructure frequently targeted by attacks. Vish highlighted that the private sector can contribute through threat intelligence sharing and providing examples of successes and failures from which others can learn. She also mentioned IST’s blueprint for ransomware defense, available in multiple languages, which highlights actions small and medium-sized enterprises can take to reduce vulnerability to ransomware attacks.

The Role of Cyber Insurance

The discussion touched on the role of cyber insurance in countering ransomware. Panelists highlighted its potential to improve cybersecurity resilience and assist in incident response. Onyanyai mentioned that the CRI is working to enhance engagement with insurance companies, while Vish stressed that preparation is key to avoiding ransom payments and noted the role of cyber insurance in improving overall cybersecurity measures.

Conclusion

The speakers demonstrated a high level of agreement on the severity of the ransomware threat, the need for international and public-private collaboration, and the importance of proactive measures and information sharing. They concluded by emphasising that no country is immune to ransomware and that a collective, global effort is necessary to address this persistent cybersecurity challenge.

The discussion highlighted the complex and evolving nature of ransomware threats, the importance of initiatives like the CRI in fostering international cooperation, and the crucial role of public-private partnerships in combating this global cybersecurity issue. As ransomware continues to target a broader range of victims, including those in emerging markets and developing countries, the need for a coordinated, multi-faceted approach to building resilience and response capabilities becomes increasingly apparent.

Jennifer Bachus: of you joining us online remotely who have not experienced the fun of IGF. We do have technical difficulties on a somewhat regular basis. I’m really sorry but I’m just gonna warn you in advance that there are kinks in the system. At least that was my experience yesterday and already can feel that a little bit today. But anyway with that very I just want to say hello. To introduce myself my name is Jennifer Backus. I’m the number two in the State Department cyberspace and Digital Policy Bureau and I am the moderator today. At least I will be when my mic is not cutting out. I just want to thank all of you for joining us in this session, this open forum on ransomware. I think everybody in this room is here because you recognize the incredible threat to the entire world that it’s a global shared threat that we need to address. It’s impacted our schools, it’s impacted our hospitals, it pretty much impacts everybody around the world, our citizens, our government, and everything we’re trying to do in a digitally interconnected world. For those of you who are not familiar with the Counter Ransomware Initiative or CRI as we call it, it’s a coalition focused on cooperating internationally to address the threat and develop policies and mechanisms that reduce the incentives of ransomware. It is a multi-stakeholder model and and it has a private sector component and a large and diverse group of countries involved. And so I hope that today’s discussion will be an interest to many of IGF’s participants. I’m so happy to have with us today three great panelists. First of all, Daniel Onyanyai. Oh man, I’m really gonna kill your name. I’m sorry. I might let him say his own name because I think it’s super rude. Okay. He serves in the office of the National Security Advisor as the head of Incident Handling Department at Nigeria’s Computer Incident Response Team, the CERT. In this role, he oversees key aspects of national cybersecurity including vulnerability management, digital forensics, incident response, and risk mitigation. He also, to today’s discussion, serves as coordinator of the Diplomacy and Capacity Building Track of the Counter Ransomware Initiative. Niles Steinhoff, who’s online, currently serves in the Cyber Foreign Policy and Cybersecurity Coordination Division at the German Federal Foreign Office. He supports the German cyber ambassador, Maria Adlebar, who together with Nigeria is leading the Diplomacy and Capacity Building Track. Welcome. And then also online is Elizabeth Visch, who is Senior Director of the International Cyber Engagement of the Institute for Security and Technology, which is a member of the newly launched CRI Public-Private Sector Advisory Panel. Elizabeth leads IST’s work, engaging international audience with recommendations from IST’s work on the future of digital security and the ransomware task force. She works on cybersecurity best practices, including how the public and private sector can collaborate. The multi-stakeholder community can offer cyber capacity building for developing countries. I also have to say, Elizabeth is a veteran of the State Department and worked in our Bureau, so is an embodiment of the multi-stakeholder approach to these issues. So great to have all of you here. So I have questions, which is what I think I’m supposed to do next, but if anyone has a different approach, just let me know. We’re gonna start with Niles. And so can you help us define ransomware a little bit more precisely? Can you give us an overview of the ransomware state of play? Over to you, Niles. Hello and good afternoon from Berlin, Germany. Can you hear me in the room?

Speaker: Somebody think that looks good? Great, thank you very much. So let’s hope for no more kinks in the technical setup. And thank you for organizing this very important and timely session at the IGF in Riyadh. I’ve been asked to talk a little bit about defining ransomware and giving you a little bit of a state of play. And I would start with a very brief definition and then get into the details about actors, numbers, international peace and security, and also ransomware generally is an act of decrypting a victim’s data and holding them for ransom to unlock this data. I think this is nothing new and it’s been around for quite a while. Mostly these attacks are financially motivated by cybercriminals who follow opportunities to ransom entities, mostly in the commercial sector, and have less of a strategic outlook on who they ransom. What we see globally is that this very profitable business has specialized to become a service. Cybercrime as a service, where we, along the criminal supply chain, observe specialized vendors such as initial access brokers, the ransomware groups themselves who then ransom the victims for money, but also afterwards money laundering experts in the illegal sector, so to say. What we see nowadays is less so the decryption of data on a victim’s system, but more the extortion to not publish the exfiltrated data. So instead of regaining access to your own system, which might not be super needed anymore if businesses have good business continuity plans and backups, the sensitive data within the commercial data that a company has is usually published on the Internet on so-called leak sites to increase the pressure on these stakeholders. So what we also observe, at least in Germany, we have a growing concern not only about financially motivated actors, but more so about strategically motivated actors or advanced systems within the context of geopolitical tension may disguise as random ransomware actors in order to conduct cyber sabotage operations that would then not be distinguishable from regular ransomware groups who may also wipe data. But this is something we have not observed yet in Germany. So this is a bit what we have. We started with the simple I lock you out of your system, pay me type of ransomware actors, and now we went in an ecosystem that extorts companies for not publishing their data or information in the data on third parties. If you go by the numbers, ransomware is a hugely profitable economic business for these malicious actors. Last year in 2023, according to Chainalysis, a blockchain analysis company, the obtained crypto assets surpassed 1.1 billion US dollars in assets. The average ransom paid was around 620,000 US dollars. But victims always pay less ransom because the business continuity plans are becoming better and better. So from 2021, where about half of the companies paid ransom, now we have about a third, or last year we observed about a third of companies paying ransom. The majority of victims is in the commercial sector. And of course, you know, as I said, mostly these criminals are motivated by financial motives, so they go for the weakest link in the chain, so to say. But we would also say that the, of course, commercial impact of the ransom paid is not the actual impact when we talk about, let’s say, later on the effects of international peace and security, when for example public utility groups. Maybe on the groups, we, roughly speaking, Germany tracks 100 ransomware groups, but 5% of these groups are responsible for around 50% of all the acts. So it’s a pretty, if you want to say, if you speak in industries, it’s a very concentrated industry overall, with the biggest players in the game currently being still, or last year before they were taken down, Lockbit, Blackbuster, and 8Base. I want to also touch a bit on the broadcast meeting conveyed under the auspices, so to say, or the logo of the CRI. As I said, economic damages are not just one element, you know, the damage of the ransom paid to a company, but the problem with the ransomware ecosystem is that it attacks those that are mostly more vulnerable in terms of cyber security, and that often are public service providers. For example, in the healthcare sector, and provide you an example from Germany from last year, we had a ransomware attack on a regional communal IT service provider. they were ransomed and their services are still in recovery mode 15 months afterwards and it affects the life of 1.7 million citizens and 20,000 public workers who cannot use their computers to provide basic services such as child support, such as unemployment benefits, which in Germany are paid at the communal level and it shows that the societal impact and the really destabilizing effect of ransomware that it has on communities and this has been recognized at the level of the United Nations both within the briefing that the United Kingdom but also within the open-ended working group under the auspices of the first committee where we just passed a resolution recognizing the threat of ransomware to international peace and security. I just want to close by saying you know it’s not obviously only terrible, well it is pretty bad, but at the same time it is not such that governments aren’t doing anything against it. So the problem of course with cybercrime is often that you have actors who are not within your own jurisdiction and you need cooperation between governments and if that voluntary will to cooperate is not there, what do you do? So Germany and I think a lot of other jurisdictions are prosecuting individuals and malicious actors to disrupting ransomware groups and not only the operational sides but also getting the encryption and decryption keys, seizing crypto wallets or also as we recently did in Germany seizing crypto asset mixers which would launder illicitly obtained funds into legitimately looking crypto assets. I think one of the good examples was the Operation Thronos earlier in February of this year where multiple law enforcement agencies around the world cooperated to seize assets and server infrastructure of the biggest ransomware group BlockBit and also I think it led to a few arrests if I remember correctly in more than one country and some people say it’s playing a game of whack-a-mole but in the end that is not true. It is a persistent process by which those that want to slowly but steadily take out both the operational infrastructure but also the criminal ecosystem that underpins its profitability. So I will leave it at that. Back over to Riyadh. I hope I stayed roughly within my time limit and I look forward to the rest of the discussion. Thanks so much for that.

Jennifer Bachus: So Elizabeth, building on that, recognizing that ransomware is of course an evolving threat, what do you foresee as the possible evolutions of the threat in the coming years?

Elizabeth Vish: Thank you so much and I’m happy to speak a bit about that. So the first thing I would say is that we’re seeing really substantial growth in ransomware attacks in emerging markets. It used to be that originally a lot of these criminals were attacking mostly companies in the Western Europe, United States, Australia, etc. In the last two years we’ve really seen a dramatic expansion of attacks against entities and companies and non-profits in the developing world in economies where there aren’t enough cybersecurity professionals, there aren’t enough resources to defend effectively. And at the same time, the criminals are also continuing to attack entities in the developed world. So it’s really in the globe. The other thing I would say is that we have also seen that the things that defend against ransomware, things like building resilience, building backups, having a reconstitution plan, the things that companies and entities can do to prepare for a cyber attack work for both ransomware and for other types of attacks. And so we would really encourage the use of cyber defenses, things like using multi-factor authentication, etc., in order to reduce the threat that ransomware poses. And then the other thing I would say is that over the next few years, we really anticipate that artificial intelligence may play a role in changing the nature of offenders. The tools that will be readily available to attackers could very well not just enhance their operations, but also afford them the ability to move at speeds that make it harder for defenders. So we would flag that while we haven’t seen really substantial adoption of artificial intelligence by ransomware threat actors yet, we would highlight that that could certainly come. And the other thing I’d say is that for all of the threat is evolving, a lot of what we see is the same old stuff, where ransomware attackers will get in through vulnerabilities that haven’t been fixed and will both encrypt the data and steal the data. And so there’s a lot of really basic things that people can do to defend that are still very effective. I’ll highlight that IST published the blueprint for ransomware defense. We published it in Portuguese, Spanish, and English. And it highlights things that small and medium-sized enterprises can do to make their surfaces less vulnerable to ransomware attacks. And we found that if those had been implemented in a few case studies, the ransomware attackers from succeeding. So we’d highlight that. And then we’d also say that the reality is that a lot of these criminals won’t necessarily face prosecution because they are resident in jurisdictions that don’t choose to prosecute cybercriminals. And so it’s really important that we take a proactive self-defense posture. I’ll stop there. Thank you.

Jennifer Bachus: Thanks, Elizabeth. Daniel, can you tell us more from your point of view about the CRI, what it is, why it was started, from your perspective?

Daniel Onyanyai: Okay. Thank you very much. CRI, I want to appreciate Niels and Vish for giving us a background about this ransomware. The CRI is a global coalition of governments and organizations that are coming together to build collective resilience against these threat actors. You know, where attackers, in a way, hold systems, lock systems, and then steal critical data and then request for ransom before they can release it. So it has become a global pandemic, and that is what necessitated the CRI. And the CRI aims to build global resilience, bringing together countries to build global resilience, and also to offer support to member countries in case they are hit by ransomware. Of course, you know, you cannot fight these criminals in isolation. So we have networks. Like, you know, now the ransomware ecosystem has been formed in a way that, you see, we have the ransomware operators on one hand, then we have the ransomware affiliates on the other hand, and then we now have the access brokers on another hand, each of them with different responsibilities but working together, and then sharing the ransom based on percentage. So it’s a big organized crime. So the CRI was formed so that countries can be well prepared, build collective resilience with one another, and then target these threat actors and hold them responsible for their actions, and also to cut off their illicit finance, you know, how they launder money through this cryptocurrency. So we want to be able to cut off that incentive, because the goal is just money. So if you can cut it off, you’ll be able to reduce their crime. And, of course, also to bring in the private companies so that we can improve on protections also. because the government alone cannot fight this criminal. We need the private sectors who can also, because they develop the softwares, they develop the systems, most of these attack, they see it more than we can see them, you know, from the government perspective. And so the CRI wants to make sure that the private sectors are… And then the other aspect is that we need to collaborate with one another to also build this resilience. Then why was this CRI, when was it launched or how did it start? Now, after the COVID, we discovered cybercrime, you know, continue to increase cyber attack, continue to increase because of the escalating impact of ransomware. Today, ransomware has increased in frequency, ransomware has increased in scope, and ransomware has also increased in severity. Before we used to have these, it started with just a single extortion method, lock your system or lock your data, then request for ransom, you pay ransom. You know, of course, there’s no guarantee whether you will get it, it’s just how it was. And then it moved to double extortion, whereby they lock up your system or your data, and then they also exfiltrate those data. And then, you know, threatening that if you don’t pay the ransom, then they will release the data to the public, thereby making the victims, you know, to take immediate action. But currently, it has now moved to multiple extortion method, which even if after targeting the victim, they also move to the clients or customers of the victim, you know, to also, that the access is to make them to take action and to get those things. So because of this escalating impact, that was why the CRI was formed. And also, you know, that another second reason is that the cross-border nature of cybercrime, you know, ransomware actors can be in any jurisdiction and be committing these crimes. And so, we need international cooperation for us to be able to bring them to justice. We need international cooperation for us to cut off their source of… That is one other reason. And the other reason is that government have come to realize that there is this urgent need, you know, for proactive solutions. You can’t just sit back. You need to be proactive, you know, before the attack. So countries need to put in place measures, you know, to keep themselves safe and put in place mechanisms. It could be in form of policies, in form of guidelines, but the end goal is that everybody must put in place structures to be able to withstand these people and also to support one another. Then CRI started specifically in 2021. It was launched and it was, you know, initiated by the United States government. In 2019, 2020, you will see that, you know, the number of attacks in most countries, like for example, in the United States, as at 2020, 2021, the number of ransomware attacks that was recorded was over 2,000 as at that point. And so, if you look across different countries, you will see so many countries recording thousands of attacks within a year. And so, there was this urgent need to, you know, bring countries together so that they can discuss this, the impact of ransomware. And so, in 2021, governments and organizations came together, even though it was a virtual gathering, to discuss, you know, to align their strategies, their policies, and their concerns so that they will be able to fight, to build collective resilience against these ransomware actors. So, that was how it began in 2021. Thank you. Thanks for that. And

Jennifer Bachus: CRI is doing to tackle ransomware now. Absolutely. So, currently, after the last

Speaker: summit, which the United States hosted in Washington in early October, the CRI’s members are broadly, let’s say, organizing around the idea that to address ransomware, we, as the, you know, states that are members of the CRI, need to tackle the problem in a holistic way by disrupting the criminal ecosystem that really underpins the profitability of ransomware attacks. So, not only address ransomware actors, but address the profitability to reduce the incentives. Right now, the CRI is organized along four work streams, we could say, that focus on building resilience, on cooperation, on policies, and on, you know, as much as possible attacks. I want to maybe just give you a rundown of the four pillars, which are called the International Counter-Ransomware Task Force, the so-called Policy Pillar, the Diplomacy and Capacity-Building Track, and the newest addition, the new work stream on public-private partnership that Daniel just mentioned, and I think Elizabeth, too. To start with, as, you know, Jennifer, as you said, the CRI is a multi-stakeholder, but also multi-agency model. If we want to address the ecosystem, we need to bring everybody in on the government side and on the company side who has the right tools to address the system, cyber security agencies, its police forces, it’s those that deal with crypto-assets laundering, but it’s also those that deal with diplomacy and with capacity-building. To give you an idea about the different work streams, maybe to start with the International Counter-Ransomware Task Force, where mostly police agencies, so cyber emergency response teams, come together under the leadership of Australia and Lithuania. Over the three years of its existence, the so-called ICRTF, I’m not going to repeat that name all the time, has developed two information-sharing platforms where members can share tactics, techniques, and procedures, but also indicators of compromise on ransomware attacks, and Australia has developed a website where Daniel has said, you know, one important element is also solidarity, so members can ask ongoing ransomware attack. Secondly, we have the policy pillar under the leadership of the United Kingdom and Singapore that have really worked around common challenges outside of just law enforcement that help tackle the ransomware ecosystem. Because they’ve been so active, I’m going to give you three examples, I think, that really highlight the variety and the width, so to say, of the Counter-Ransomware Initiative. France and Netherlands worked on cyber insurance, because cyber insurance is really both a tool to diversify and spread risks across the economy, but also to incentivize good behavior for companies in order to become more cyber secure and comply with basic cyber hygiene that Elizabeth outlined. Secondly, Australia released a playbook for businesses that helps them prepare for and react to and recover from small and medium-sized businesses that usually don’t have their own IT department to deal with cyber security. And then thirdly, Albania led a project on the implementation of Rule 15 of the International Financial Action Task Force that deals with the regulation of crypto assets. So, you know, this policy pillar shows you the width of the ecosystem that the criminals use, but we also address within the CRI. And then the last, or second to last, and then I’ll stop, we have the Diplomacy and Capacity Building Pillar that Nigeria and Germany, so me and my cyber ambassador Maria Adeba are chairing, where we try to, you know, connect or help people find more resources on capacity building, because, as you can see, As you can see from the variety of topics, capacity building is not only about technical capacities for emergency responders, but it really requires a lot of entities in your government to be up to date and to be able to work together with their agencies. And to close with, I want to highlight Canada’s work on public-private partnership, because as Daniel said, the software we use, the infrastructures that even our government systems run on, are often maintained and updated and held cybersecure by private companies. They see something in the networks, sometimes even before we do, and therefore having a solid foundation for public-private partnership, and IST has done some great work on these types of public-private partnerships, it’s absolutely key to have this holistic view on the profitability of the cybercrime ecosystem that is ransomware today, and we hope that over the next year we will find productive ways to advance on this public-private cooperation. And maybe one last fact, we’re closing in on 70 members, and we almost doubled in size by two years, and I think this really, really underlines how big of an issue ransomware has become all over the world, for any country, along these different lines of work.

Jennifer Bachus: Thanks, appreciate that. And for you, Daniel, what do you see as the benefits of CRI to member countries? Okay, so there are a lot of benefits for members, just like Nils mentioned. The first is capabilities. The CRI is really concerned because you need to build capacities for member countries so that they can be able to respond, maybe identify a ransomware attack,

Daniel Onyanyai: they will be able to have the capabilities to detect, to respond, and to also disrupt the activities of this criminal. So you enjoy that we provide capacity building through different collaborations with organizations that offer. These are already members of the CRI. We have the Council of Europe, we have the Interpol, we have so many of them who are also willing to join the CRI. And another benefit is that we have an enhanced information sharing platforms within the CRI. We have developed platforms, platforms like the malware information sharing platforms, which was developed by Lithuania. And then we have another platform we call the Crystal Ball, which was developed together between UAE and Israel. Australia also developed the CRI Portal. These platforms will help member countries to report incidents, seek urgent assistance. We have had instances, for example, like in Nigeria, when a private organization reported an incident, a ransomware attack to us. So immediately we escalated. And then it didn’t take up to some hours, few minutes, few hours, we started getting response from countries. And so the platform is there. So immediately you go into the platform for urgent assistance. Every country on that platform will be notified immediately. And then you will begin to see support from other countries. So there is nothing more reassuring than knowing that when, as a country, you are under attack, you have other backups, you know, from other member countries who are willing to support you and ensuring that you recover from such attacks. And also on the Crystal Ball platforms and on the MIS platform, you receive threat intelligence that will enable countries to stay proactive and to glean on the experience of other countries who are going to ransomware attacks. So you also find indicators of compromise in that place for you to enrich your platforms to be able to detect the activities of these. We also provide on those platforms, we have access to resources. So you have access, country-shared resources on that platform that is available only to member countries. And also what CRI, another thing that, another benefit you can enjoy is that CRI is committed to strengthening the capacities of the computer emergency response teams of member countries so as to, you know, make them to have, to be able to detect these activities, to conduct investigations, you know, of ransomware activities. So there are quite a whole lot of benefits that you can enjoy by joining the CRI. This is just to mention a few of them. Thank you.

Jennifer Bachus: Thank you for that. So Elizabeth, as was noted, the public-private cooperation within CRI are the pillar. The public-private cooperation has existed for a long time, what are the expectations for this sort of enhanced role in CRI? That’s a really great question and thank you.

Elizabeth Vish: First of all, I want to say thank you to the United States and to Canada for the work that Canada has done to launch the public-private sector advisory panel. The team at Public Safety Canada has been working hard to get everyone who can be part of it engaged in rowing in the same direction. My thoughts are that the private sector really does want to collaborate with mutual respect with the public sector and IST runs the Ransomware Task Force, which is a group of more than 60 experts that come together to combat ransomware. It’s a coalition led by the Institute for Security and Technology. We’re a non-profit think tank, so we can bring people together in sort of a neutral third space to talk about the ransomware threat. And we’ve heard a lot from our members. They want to work with governments and they specifically want to work with the CRI. They really think that they have a lot to offer to help combat this threat and that includes things like threat intelligence, that also includes things like examples of successes and examples of failures from which you can learn. I always really love to highlight that there are lessons learned from failures and if we learn those lessons, then we can avoid the failures in the future. There are lots of things that the private sector could do. They have the capacity to help governments recognize threats. They have the capacity to build and improve resilience. Private sector entities that are really capable of handling response when an incident or an attack occurs. I’ll also highlight that the private sector owns and operates a significant portion of critical infrastructure and critical infrastructure are the frequent targets of ransomware incidents. So it’s really important that the private sector be part of the conversation when it comes to addressing threats of ransomware. So my expectations for the advisory panel or the advisory group, it’s intended to bring together experts from both the public and private sectors to collaborate on cybersecurity issues related to ransomware, its primary recommendations and strategies to address ransomware threats, enhance cybersecurity measures, and strengthen national and international cyber resilience. We’re working on a work plan right now that will outline how the group is going to collaborate over the next year when it comes to building that collaboration between CRI members and the private sector. Our focus is really on providing advice and support to CRI members and to support, for example, Mills mentioned efforts related to insurance and how insurance can play a role in enhancing cybersecurity preparedness. That’s an area where most insurance companies are private companies. And so exchange of information and advice regarding that could be an opportunity for the CRI members to better target their engagement with insurance companies and better improve sort of the collaboration so that the insurance companies can do more. There’s some work that we’re doing at IST, which was, again, we’re sort of a nonprofit think tank that relates to the role that insurance can play in improving resilience. And so that’s just one of very many examples of the ways that the private sector can contribute. And we hope that CRI members will engage in a really robust conversation with the six members of the private sector advisory group so that we can help address this threat, which all of us face. Thanks, Elizabeth. And I know if you’re involved in this, there will be robust engagement. So I have no worries on that front.

Jennifer Bachus: So I know we have comments online, but also I want to start by, first of all, acknowledging the very full room here, which I’m very pleased to see. And to see if any of you here in the room have questions that you want to pose. I see one over there. And then I see one over there. And we’ll see whether we take more than one at once. So go ahead, please, sir. Good afternoon.

Audience: I’m Rapitson from Cambodia. So first of all, thank you for the moderator and panelists. And I would like to ask if Cambodia is indeed a member of the CRI. And if it is not, what is the criteria to join the CRI? Thank you.

Jennifer Bachus: I think I can answer that question, but maybe somebody else wants to instead. My understanding is Cambodia is not yet a member of CRI. There is a process through which you put in an application, and the CRI members consider it. But there is, I don’t know if Niels or if one of the people wants to elaborate a little bit more specifically on that. I could. Or Daniel, do you want to take it from the floor? Up to you. Okay. Just, okay. Continue. All right. Thank you for the question.

Speaker: The application process is relatively simple. The interested governments would write a letter of intent. The co-chairs of the Diplomacy and Capacity Building Pillar, which would be Nigeria and Germany. Daniel in the room maybe could give you the contact information afterwards. And then there’s a 14-day silence procedure under which members can object to the membership request.

Audience: And if no objection is incurred, the country that applied for membership would become a – write a letter, wait around 14 days, and if no objection is signaled, then you would become a member. Okay. Let me add this. You know, we have never seen countries objecting other countries, you know, from not joining. So you don’t have to be afraid of that. All right. Thank you.

Jennifer Bachus: Yeah. I think we try to recognize that this is a shared communal threat and that the more countries that come together to battle the threat, the stronger we’ll all be. And then with that, sir, I think you had a question over there. So hi. This is Adnan Malik. I’m from Pakistan.

Audience: Thank you, Daniel. Thank you, Nils. Thank you, Elizabeth, for the insightful discussion. But I’m still having a hard time navigating, you know, the support points. I mean, how do you guys provide support to the member state entities? For example, if I have to give you, for instance, if you know Case per Sky, they have this initiative, no ransom. You know, so like the decryption keys. So they have like a list of directories. So if you got attacked, if you’re an individual or maybe an entity and you got attacked by any popular ransomware, what they do is they provide you with a decryption key since, you know, it’s a very huge platform and they got a good threat intelligence teams. So I’m still trying to navigate the, you know, support. I mean, how that goes, how that work. Are you guys involving your technical teams or is it a consultancy only? The second point is, is there a directory where we can find the, you know, who are already part of the CRI? I mean, I would also, you know, love to see if my country were there. So yeah. Thank you.

Daniel Onyanyai: Okay. Okay. So you can find information. We have a website, kamtaransomware.org. And then for the other first question, the support we offer comes from the technical teams of the member countries. For example, if you request for support, the U.S. SART may decide to offer that support, the Australian SART. And that is why one of our goal is to strengthen the capabilities of the computer emergency response teams who are directly involved in responding to incidences like that. So in terms of the decryption key, first of all, when you report, if it’s a known cybercrime group and the decryption of any of the countries who are offering support to you, they will be able to release it to you. But if there are other things, you know, for example, you are faced with a new ransomware group maybe that have been in assistance in another country. So they will have more experience. So and if they have none, they can request for the indicators of compromise and some artifacts to also you send it to them like the one that happened in Nigeria. We extracted those indicators of compromise, those artifacts, and then forwarded it to those countries or those organizations who are offering support. For example, like the Interpol, we offered to them because none of them had the key to decrypt it, but they also have to also assist in the investigation process. So it depended on how well you want their support, whether you want to provide it to them or you want to give them a channel to provide support for you. But in any case, it is the technical agency or team of member countries that usually offer those investigative support. Thank you.

Jennifer Bachus: I don’t know if I answered the question correctly. Do either of the people online have anything they want to add? Elizabeth Niels? OK. Can you hear me? Did you have anything you wanted to add? Yeah. OK. Nothing to add. Great. Do we have another question from the room? OK. I saw there were. I will acknowledge that my ability to read the questions or comments is limited here in the room, but I think we might have somebody. No, it just seemed maybe that was just participants. That was exciting. Any other? OK. I think we have like maybe five more minutes. Oh, there is a question. Great. Am I audible? Yes.

Audience: Can you tell us a little bit more about how effective cyber insurance is in countering ransomware attacks? Thank you very much.

Daniel Onyanyai: OK. What we did is cyber insurance is actually what the CRI has been pushing. We have also made, involved the insurance companies of members’ countries. We had sessions with them, and we have also come up with guidelines on how the insurance company can come in to assist when it comes to ransomware attack so that they will be able to cover up for so many things. So we have done a lot to bring them on board. But it depends on how the countries, you know, because they are also subject to your country’s law. So it’s not like the CRI is overriding the country’s law. But what we have done is to always is to bring up, you know, those guidelines, those guidance, and also involve them. And before the summit, we had a session with them. And then after then, there was a guideline that was produced of which countries in collaboration with the insurance sector or the, what would I call it now, the responsible agencies, the responsible insurance agency in their country, or the regulator of the insurance sector in their countries. For example, like in Nigeria, we had to, for us to endorse that guidance or that statement, we have to involve them in it, and we endorsed it. So it means that for us in Nigeria, we are going to no guidelines or guidance that is released by the CRI. Does it need to identify them to pay? To pay? Okay, no, okay, to pay the ransom is not for us in the CRI, it is a no pay. So we have a statement to that that we don’t encourage and member countries should not pay ransom. And many member countries endorse that statement. So but as to whether your country will allow payment in some ways is dependent on your country. Even though most country endorse that statement of no pay, some country is the binding statement, it’s a non-binding statement. But most countries decide to leave it open as to whether to pay or not to pay. But for us in Nigeria, we don’t pay ransom and we don’t encourage. So even though at the back, people may decide to pay, it’s left for them, but for us as a nation, it is a no pay. Smith, you wanted to add something?

Elizabeth Vish: Yeah, absolutely. I think, so more broadly, as the potential to play a role in increasing resilience. I would say that there’s some great research that the Royal United Services Institute in the UK has done related to the role that insurance can play in reducing ransomware attacks. One role that insurance can play is helping the companies that they insure to improve their cybersecurity resilience and reduce their vulnerability to ransomware attacks. And that’s not something that all insurance companies do, but it can certainly play a role. The other thing that insurance companies can do is to help companies that they insure get attacked, they can help those companies to reconstitute their networks and get back up and running more quickly. Some insurance companies, when an attack occurs, bring on specific incident responders to help the company that was insured, that purchased the insurance, to respond more quickly. But I would just refer you to that research by Russi. It’s a really good paper looking at the role that insurance can play. Obviously, they are looking from a UK perspective, but I think that the UK perspective can be valuable for many different global operating contexts. Thanks. And then the other, oh, the other thing I’ll highlight, which I think just, is the statement that was produced at the end of the last CRI summit in October, that does sort of mention the best practices for response and includes that as part of a sort of overall approach to responding to an incident. It was endorsed, as mentioned, by many members and by some insurance consortiums. So I would just highlight that as a place that people go to approach a response to an incident. And it offers the perspective that some insurance companies have endorsed. So those are both really good resources to go to when it comes to insurance and ransomware. Thank you. Thank you very much. There’s two questions in the chat, which I will launch, and I think then we are coming to the end. One is, how do you authenticate if a private organization who is developing software is legitimate? And the second is, how well is third world countries

Jennifer Bachus: prepared to deal with this situation like this on their own? So I will see who wants to take one or both of those questions. Would you like to start with the second question? Anyone? I can jump in on the second question. IST does an annual report on the ransomware threat. We’re mostly looking at data from leak sites, so it’s not perfect data.

Elizabeth Vish: But I would say that overall, we’ve really seen the number of attacks against emerging markets, against emerging economies in developing third world countries go up. We’ve seen them go up over the last two years that we’ve done this report. We’ve really seen the increase in attacks against especially critical infrastructure in many places. And also sort of, to be frank, like the place where money is so things like banking and financial institutions, we’ve seen attacks against government actors and government entities like pension funds. So there was a case where cyber criminals attacked the pension fund of a small Caribbean island nation that made it hard for retirees to get their money, which is obviously a real threat to human health and wellbeing. And we don’t… So that’s really why we are underscoring the value of collaborating between government and private sector and also why we’re underscoring the importance of preparation. We have a joke, prepare, don’t pay. And we don’t mean that in the, you can’t pay, but rather avoid paying by preparing. You won’t get attacked, therefore you won’t have to even think about the payment conversation if you can be well-prepared. So I’ll sort of highlight that as the best way. I would also highlight that, when it comes to the question of… I don’t think that anyone should be dealing with this threat on their own. I think that the collaboration cert to cert, which has been highlighted here already, collaboration between national cybersecurity authorities, like in the US we have the cybersecurity and critical infrastructure authority. The Spanish government has NCBA. There are many sort of national authorities that would like to collaborate with one another. I’ll highlight that the State Department actually… Has collaboration when it comes to building national CSIRT capacity and also including in collaboration with Nigeria. And I think that that’s really the future of defending against this threat is improving partnerships and improving collaboration. The private sector really does wanna contribute, wanna play a role, both in investigating and disrupting these criminals and also in preparing for and recovering from this threat. So I would also encourage national authorities in developing countries to think about how they can get collaboration, to improve collaboration with the private sector. So that no one is alone, but rather we’re all addressing this threat together.

Daniel Onyanyai: Okay, so just to add, when you join the CRI, you are no longer alone. And to deal with some of these issues, what CRI has done is to provide kind of another country. You know, we mentor maybe a country who is less advanced when it comes to handling these kind of threats. So the collaboration, in quotes, will not be that whatsoever thing you need. So you can request from your mentor, they will guide you on the process to go. But the responsibility for you to authenticate a private organization still lies in your country. And then if, as a country, you don’t have what it takes to identify that, you can seek assistance through the CRI. And those assistance can be provided to do it. I don’t know if you understand that. On how to do it, it’s not like the CRI will come to your country and do this authentication. But then there are guidance, there are best practices, and there are resources that can be provided for member countries, you know, to be able to authenticate the private organization that provide those software. So that is why I said you are not alone. You can always seek for assistance, and you can also have access to the resources provided. Thank you.

Jennifer Bachus: Thanks for that. And I wish I could give everyone another shot to say a last word, but I’m getting the wrap-up sign, actually, pretty insistently at this point, and the closed captioning has ended. So I think that is going to end this event. I just wanted to thank our panelists for the amazing collaboration and work, and for all of you for showing up here today. Ransomware is an incredibly challenging issue that will take all of us to continue to battle it, and just to say that there is no country that is immune, and we all need to work together. So thanks to everybody. Thank you for joining us remotely. Thank you for joining us in person, and I look forward to seeing you all around IGF. Thanks.

Agreement Points

Ransomware is a significant global threat

Speaker

Daniel Onyanyai

Elizabeth Vish

Ransomware encrypts data and demands ransom for decryption

Ransomware is a profitable criminal business model

Attacks have evolved to multiple extortion methods

Attacks are expanding to emerging markets and developing countries

All speakers agree that ransomware is a serious and evolving global cybersecurity threat with significant financial and operational impacts.

Collaboration is crucial in combating ransomware

Speaker

Daniel Onyanyai

Elizabeth Vish

Jennifer Bachus

CRI has four main work streams to address ransomware holistically

CRI is a global coalition to build resilience against ransomware

Private sector wants to collaborate with mutual respect

Collaboration between government and private sector is key

All speakers emphasize the importance of collaboration, both between countries and between public and private sectors, in effectively addressing the ransomware threat.

Similar Viewpoints

Both speakers highlight the importance of information sharing and threat intelligence in combating ransomware, whether through CRI platforms or private sector contributions.

Daniel Onyanyai

Elizabeth Vish

CRI provides information sharing platforms for members

Private sector can provide threat intelligence and improve resilience

Unexpected Consensus

Importance of preparation in avoiding ransom payments

Daniel Onyanyai

Elizabeth Vish

CRI is working to enhance engagement with insurance companies

Preparation is key to avoiding ransom payments

While coming from different perspectives (government and private sector), both speakers emphasize the importance of preparation and proactive measures in dealing with ransomware threats, including the role of insurance.

Overall Assessment

Summary

The speakers show strong agreement on the severity of the ransomware threat, the need for international and public-private collaboration, and the importance of proactive measures and information sharing.

Consensus level

High level of consensus among speakers, implying a unified approach to addressing ransomware threats through initiatives like the CRI and emphasizing the global nature of the challenge.

Different Viewpoints

Unexpected Differences

Overall Assessment

summary

The speakers demonstrated a high level of agreement on the nature of the ransomware threat, the importance of the Counter Ransomware Initiative (CRI), and the need for public-private cooperation in addressing cybersecurity challenges.

difference_level

Low level of disagreement. The speakers presented complementary information and perspectives, reinforcing each other’s points rather than contradicting them. This alignment suggests a unified approach to addressing ransomware threats, which could be beneficial for coordinated international efforts through the CRI.

Partial Agreements

Similar Viewpoints

Both speakers highlight the importance of information sharing and threat intelligence in combating ransomware, whether through CRI platforms or private sector contributions.

Daniel Onyanyai

Elizabeth Vish

CRI provides information sharing platforms for members

Private sector can provide threat intelligence and improve resilience

Key Takeaways

Resolutions and Action Items

Unresolved Issues

Suggested Compromises

What we see globally is that this very profitable business has specialized to become a service. Cybercrime as a service, where we, along the criminal supply chain, observe specialized vendors such as initial access brokers, the ransomware groups themselves who then ransom the victims for money, but also afterwards money laundering experts in the illegal sector, so to say.

speaker

Niles Steinhoff

reason

This comment provides crucial insight into the evolving nature of ransomware as a specialized, service-oriented criminal enterprise. It highlights the complexity and sophistication of modern cybercrime operations.

impact

This comment set the stage for a deeper discussion on the various components of the ransomware ecosystem and how to combat it effectively. It led to further exploration of the different actors involved in ransomware attacks.

The first thing I would say is that we’re seeing really substantial growth in ransomware attacks in emerging markets. It used to be that originally a lot of these criminals were attacking mostly companies in the Western Europe, United States, Australia, etc. In the last two years we’ve really seen a dramatic expansion of attacks against entities and companies and non-profits in the developing world in economies where there aren’t enough cybersecurity professionals, there aren’t enough resources to defend effectively.

speaker

Elizabeth Vish

reason

This comment highlights a significant shift in the targeting of ransomware attacks, drawing attention to the vulnerability of emerging markets and developing countries.

impact

This observation led to a discussion about the need for global cooperation and capacity building, especially for countries with fewer resources to combat cybercrime.

CRI aims to build global resilience, bringing together countries to build global resilience, and also to offer support to member countries in case they are hit by ransomware.

speaker

Daniel Onyanyai

reason

This comment succinctly explains the purpose and approach of the Counter Ransomware Initiative (CRI), emphasizing the importance of international cooperation.

impact

It shifted the conversation towards discussing specific actions and benefits of the CRI, leading to a more detailed exploration of how countries can work together to combat ransomware.

The private sector really does want to collaborate with mutual respect with the public sector… They want to work with governments and they specifically want to work with the CRI. They really think that they have a lot to offer to help combat this threat and that includes things like threat intelligence, that also includes things like examples of successes and examples of failures from which you can learn.

speaker

Elizabeth Vish

reason

This comment emphasizes the crucial role of public-private partnerships in combating ransomware, highlighting the willingness and potential contributions of the private sector.

impact

It led to a discussion about the specific ways in which the private sector can contribute to the fight against ransomware, including through threat intelligence sharing and lessons learned from past experiences.

Overall Assessment

These key comments shaped the discussion by highlighting the evolving nature of ransomware threats, the global impact especially on emerging markets, the importance of international cooperation through initiatives like the CRI, and the crucial role of public-private partnerships. The conversation progressed from defining the problem to exploring collaborative solutions, emphasizing the need for a multi-faceted, global approach to combating ransomware.

How can artificial intelligence impact ransomware attacks in the future?

speaker

Elizabeth Vish

explanation

AI could enhance attackers’ operations and speed, making it harder for defenders to respond. This is an important area to monitor as AI capabilities evolve.

How can small and medium-sized enterprises implement effective defenses against ransomware?

speaker

Elizabeth Vish

explanation

SMEs often lack resources for cybersecurity. Understanding practical, accessible defenses for smaller organizations is crucial to reducing overall vulnerability.

What are the best practices for cyber insurance in countering ransomware attacks?

speaker

Audience member

explanation

The role of cyber insurance in preventing and responding to ransomware attacks is an evolving area that requires further exploration and guidance.

How can developing countries improve their preparedness and response capabilities for ransomware attacks?

speaker

Audience member

explanation

As attacks against emerging markets increase, understanding how to build capacity and resilience in developing countries is crucial for global cybersecurity.

How can authentication processes for legitimate software developers be improved?

speaker

Audience member

explanation

Ensuring the legitimacy of software developers is important for preventing potential security vulnerabilities and maintaining trust in digital systems.

What are effective strategies for public-private collaboration in combating ransomware?

speaker

Elizabeth Vish

explanation

Enhancing cooperation between government and private sector entities is seen as crucial for addressing the ransomware threat comprehensively.