Ransomware task force unveils broad manifesto for fighting back

The Ransomware Task Force (RTF) yesterday unveiled its comprehensive guidance for battling ransomware, information security’s preeminent scourge.

The 81-page report, titled Combatting Ransomware: A Comprehensive Framework for Action, gives enterprise defenders their first structured standardized guidance for ransomware defenses. The project began in January 2019 and was organized by the Institute for Security and Technology (IST), a Bay Area-based nonpartisan nonprofit group that champions networking and collaborative efforts to address information security challenges.

“The cost of ransom paid by organizations has nearly doubled in the past year and is creating new risks, many that go far beyond monetary damage,” IST CEO  Philip Reiner said in a statement. “We felt an urgent need to bring together world-class experts across sectors to create a framework that government and industry can pursue to disrupt the ransomware business model and mitigate the impact of attacks.”

The RTF, made up of 60 industry experts, spent more than two years engaged in intense collaboration to develop these recommendations. The task force includes an eclectic mix of organizations representing government agencies, technology vendors, financial institutions, and academia.

Not a technical guidance

The RTF Framework mirrors the well-known NIST Cybersecurity Framework (CSF) by grouping recommendations into logical target areas. Where NIST describes specific technical actions in its five “functions,” the RTF authors opted to distribute 48 higher-level recommendations across four goals: “deter,” “disrupt,” “prepare,” and “respond.”

Defenders looking for specific NIST-like technology controls for ransomware mitigation, response, and recovery will have to wait a little longer. On the whole, the RTF Framework addresses high-level policies and processes, including advocating for the creation of more technical guidance, particularly for underfunded and critical industries.

“Guides and technological tools to mitigate ransomware are currently available, however, many are insufficient, overly simplified, or too complicated, and the general level of noise surrounding this problem is confusing and problematic,” the RTF report authors wrote.

“The single most impactful measure that could be taken to help organizations prepare for and respond to ransomware attacks would be to create one internationally accepted framework that lays out clear, actionable steps to defend against, and recover from, ransomware.”

Jen Ellis is vice president of community and public affairs at security vendor Rapid7 and a task force committee co-chair. She told VentureBeat the framework’s approach developed, in part, from taking a hard look at what organizations were – and were not – doing to protect themselves.

“Over recent years, there has been a great deal of investigation into ransomware attacks and trends, and many cybersecurity vendors have provided responses either in the form of technology solutions and services, or guidance and best practices,” Ellis said. “Yet adoption is slow or possibly ineffective, which suggests that organizations either lack an appetite for these offerings, presumably because they don’t understand the ransomware threat or how the solutions can help mitigate it, or because they lack the capability or resources to adopt.

“The Task Force included end user organizations of all sizes and we sought their perspective on the reality here,” Ellis added. “What we heard from them was that the amount of noise on this topic is hard to navigate and interpret, and guidance often seems overly-simplified, while technologies on the other hand often seem complicated or too time-consuming to deploy.”

All hands on deck recommendations

Where the RTF Framework shines is in challenging the public and private sectors to take bold action to beat ransomware at every stage of its miserable lifecycle. In addition to developing future technology guidance, the framework’s top recommendations include:

• Hitting ransomware crews where they live
  Getting international governments and law enforcement to prioritize ransomware threats and use the full force of their diplomatic and financial clout to encourage nation-states to stop providing safe havens for ransomware crooks.
• Putting Uncle Sam out front
  Urging the U.S to lead by example with an aggressive White House-backed campaign that treats ransomware as a national security threat, taps the National Security Council’s resources, and establishes public and private tasks force and focus groups to address the problem.
• Help for victims
  Establishing government-funded international Cyber Response and Recovery Funds to support ransomware response. The RTF also softens the line on ransom payments, calling for the U.S. Treasury Department to revise its no-pay guidance and urging victims to report ransom payments and consider all available alternatives before paying.
• Blocking the money chain
  Stepping up regulation of the cryptocurrency sector that fuels ransomware crime. This would be done through government crackdowns on cryptocurrency exchanges and stepped-up enforcement of existing money-laundering and anti-terrorism funding laws. The goal is to disrupt ransomware payment systems and make the criminal endeavor less profitable.

Identify the challenge

Kevin Johnson is CEO of Secure Ideas, a security consultancy, incident response, and training firm in Jacksonville, Florida. He said the RTF Framework’s lack of technical specificity aside, the framework addresses a clearly pressing need to find an organized, structured way to tackle the ransomware problem.

“Over the last few years, it has become abundantly clear that organizations must prepare for a ransomware attack,” Johnson told VentureBeat. “This preparation includes understanding what resources are actually within your organization and how you will deal with those resources being encrypted.”

“Way too often in our testing, we find that not only are companies not prepared for this type of attack, but they also are surprised when we show them the machines and services they actually run,” Johnson said.

The RTF makes clear in its report that the framework is not a choose-your-own-adventure exercise designed for piecemeal implementation. Each recommendation interlocks with other actions, and the strength of the total effort depends on coordinated and complete execution. For example, reducing the profitability of ransomware through financial controls thwarts crimes in progress and also acts as a deterrent, discouraging future actors from engaging in similar malefactions.

“Our hope with the recommendation of a single, unified framework, is to produce consistent guidance that breaks deployment down, making it more relatable and manageable, and thus more actionable, said Rapid7’s Ellis. “We hope to create a single source of truth that provides some sense of what a path to maturity might look like, while also giving less-resourced organizations a reasonable and impactful starting point.”