The Counter Ransomware Initiative (CRI) [2] [3] [4], comprising 39 countries, has released a comprehensive guidance document to assist organizations in effectively responding to ransomware incidents. This guidance [1] [2] [3] [4] [6] [7] [8], endorsed by 68 member states [2], aims to discourage ransom payments and promote proactive cybersecurity measures.
## Description
Members of the Counter Ransomware Initiative (CRI) [4], which includes 39 countries such as the UK, Australia [6] [8], Canada [6], Japan [6] [8], the United States [6], and New Zealand [6], have released the “Guidance for Organisations During Ransomware Incidents,” endorsed by 68 member states [2], including the USA [1] [2] [6] [8], EU [2], Council of Europe [2], and UK [1] [2]. Established on October 1, 2024 [6], this guidance aims to assist organizations in responding to ransomware attacks by carefully evaluating their options rather than hastily paying ransoms to cybercriminals. Such payments may encourage further attacks and do not guarantee data recovery or malware removal [6]. The guidance emphasizes the importance of proactive measures to mitigate ransomware threats [8], including developing comprehensive response frameworks, contingency plans for data retention and retrieval [8], and establishing policies and communication strategies [3] [4] [8].
While the guidance strongly discourages payments [4], it acknowledges that there may be circumstances where victims consider paying [4], emphasizing the challenges organizations face in making this decision. The UK government explicitly does not endorse ransom payments [4], as such actions sustain ransomware gangs and contribute to the broader ransomware ecosystem. A Chainalysis study indicated that ransomware actors received over $1 billion in payments in 2023 [4], marking the highest losses recorded and reflecting a general increase in payments since 2019. The CRI stresses that paying a ransom does not guarantee access to data or devices [4], and obtaining a decryption key may not resolve the incident [4]. Recent efforts have been made to collaborate with insurance companies, as some may encourage or reimburse ransom payments [5], prompting organizations to enhance their cybersecurity resilience [5].
The guidance provides a comprehensive overview of the decision-making process involved in responding to ransomware threats and recommends that organizations prepare as part of their business continuity plans. Key recommendations include:
- Considering the legal and regulatory implications of ransomware payments [4].
- Reporting incidents to authorities promptly to assist law enforcement and inform affected individuals.
- Verifying data backups and evaluating all options to ensure due diligence in response and recovery plans, avoiding the omission of critical information.
- Consulting with recognized experts such as insurers, national technical authorities [4] [7], law enforcement [1] [2] [4] [6] [7] [8], and cyber incident response companies familiar with ransomware incidents to enhance decision-making quality [7].
- Reviewing alternatives to ransom payments, informed by a thorough understanding of the incident’s impact and the likelihood of payment altering the outcome.
- Gathering information to assess the incident’s impact and legal obligations, including backup availability and business disruption management [4].
- Assessing the incident’s impact for better preparedness in coverage discussions, including risks to life [4], personal data [2] [4], or national security [2] [4].
- Recording decision-making processes to create an auditable trail.
- Involving necessary stakeholders in decision-making, including technical staff and senior leaders [4].
- Investigating the root cause of the incident to prevent future attacks.
The guidance is non-binding and does not supersede specific laws and regulations applicable in CRI member jurisdictions [4]. In 2023, CRI members pledged against ransomware payments [4], stating that central government funds should not be used for such payments [4]. This collective endorsement signifies a strong commitment to improving cyber defenses and readiness globally [6], building on a previous joint statement that condemned ransomware payments [6]. The guidance calls for remaining CRI members to engage with insurance industries and their jurisdictions to further strengthen cybersecurity efforts, particularly in light of the evolving tactics employed by cybercriminals. The National Cyber Security Centre has also revealed that cybercriminals often retain data even after ransom payments are made [8], underscoring the need for organizations to remain vigilant and proactive in their cybersecurity strategies.
Organizations are encouraged to adopt an “Assume Breach” posture, recognizing that it is no longer possible to prevent all attacks [7]. Investing in resilience is crucial, as companies that do so tend to recover more quickly and at lower costs [7], while many organizations fail to adequately test their recovery processes [7], leading to high recovery costs when attacked [7]. Ensuring that organizations do not have to pay threat actors benefits the broader community [7], as crime should not be rewarded [7]. The guidance document offers further recommendations for organizations to enhance their ransomware resilience and response strategies, reflecting a global commitment to addressing the ransomware threat and supported by international cyber insurance bodies [1]. Additionally, the CRI Summit, led by the UK and Singapore [3], introduced new policy guidance aimed at undermining the financial models of cybercriminals, emphasizing the necessity of international cooperation to combat these threats effectively.
## Conclusion
The CRI’s guidance represents a significant step towards enhancing global cybersecurity resilience against ransomware threats. By discouraging ransom payments and promoting proactive measures, the initiative aims to undermine the financial incentives for cybercriminals [6]. Organizations are encouraged to adopt robust cybersecurity strategies, engage with experts, and collaborate internationally to mitigate the impact of ransomware attacks. The ongoing commitment to improving cyber defenses and readiness is crucial in addressing the evolving tactics of cybercriminals and ensuring a safer digital environment.
References
[1] https://www.techradar.com/pro/some-of-the-worlds-biggest-countries-are-teaming-up-to-tackle-ransomware-scams
[2] https://www.dataguidance.com/news/international-counter-ransomware-initiative-publishes
[3] https://www.theartistree.fm/journal/401836/global-leaders-unite-to-combat-ransomware-with-new-policy-guidance-and-collaborative-strategies/
[4] https://www.infosecurity-magazine.com/news/cri-releases-guidance-ransomware/
[5] https://cyberscoop.com/counter-ransomware-initiative-summit-whats-next/
[6] https://www.wired-gov.net/wg/news.nsf/articles/UK+and+Singapore+lead+international+action+to+support+ransomware+victims+03102024111500
[7] https://itnerd.blog/2024/10/04/70-countries-attend-counter-ransomware-initiative-and-release-response-guidance/
[8] https://www.techmonitor.ai/technology/cybersecurity/uk-singapore-spearhead-global-efforts-to-drive-resilience-against-ransomware-attacks
