Representatives from 31 countries met last week in a concerted effort to counter the ongoing scourge of ransomware and disrupt attackers’ business model.

The countries – which included Australia, the US, UK, India, and France (but not Russia and China) – were hosted by the White House National Security Council to tackle what they recognised is an “escalating global security threat” that can have “serious economic and security consequences”.

“From malign operations against local health providers that endanger patient care, to those directed at businesses that limit their ability to provide fuel, groceries, or other goods to the public, ransomware poses a significant risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity,” the nations said in a joint statement following the event.

“As with other cyber threats, the threat of ransomware is complex and global in nature and requires a shared response.”

This shared response is to be achieved through four means: by improving network resilience, countering financial networks that support it, disruption by law enforcement, and diplomacy.

Collaborative disruption

Coinciding with last week’s joint session was the announcement of Home Affairs’ Ransomware Action Plan which will require businesses to report ransomware events and will introduce new aggravated criminal offenses for ransomware-related crimes.

Home Affairs Secretary Michael Pezzullo represented Australia at the Counter Ransomware Initiative Meeting. He also chaired a session about how law enforcement can disrupt ransomware operations.

“Taking action to degrade and hold accountable ransomware criminal operators is a priority for all,” the Department for Home Affairs said.

That session looked at both domestic and international efforts for tackling ransomware and highlighted “opportunities for cooperation” between the countries who met at the White House virtual event.

Law enforcement agencies regularly collaborate to catch cyber criminals whose actions effect victims in many different countries.

Notices international police leave when taking down dark web marketplaces like the now-defunct DarkMarket often allude to the multi-agency co-operation these operations may require.

Similarly, South Korean detectives were present when six members of the Clop ransomware gang were arrested in Ukraine earlier this year.

Stopping ransomware finance

The US Financial Crimes Enforcement Network (FinCEN) recently reported a recent increase in both the number of ransomware incidents and the amount of money gained by these attacks.

Ransomware operators gained US$590 million in the first six months of this year – over US$170 million more than all of 2020. Most of it was paid in bitcoin.

In their joint statement, the attending countries noted that ransomware is “primarily a profit-seeking endeavour” and recognised the potential to combat it by stopping or tracking ransomware payments.

The countries promised to ensure their anti-money laundering frameworks extend to virtual asset service providers to make it difficult for funds to move between signatory countries along with working with cryptocurrency companies to share information about ransomware payments.

Because ransoms are typically paid in bitcoin, authorities can track the flow of money on the blockchain and may be able to seize it, as was the case with more than 60 bitcoin paid to the Colonial Pipeline attackers earlier this year.

Diplomatic means

Finally, the 31 countries attending last week’s ransomware summit agreed on “diplomatic efforts” that encourage other nations not to let cyber criminals safely operate within their borders.

“We will leverage diplomacy through coordination of action in response to states whenever they do not address the activities of cybercriminals,” the join statement said.

“Such collaboration will be a critical component to meaningfully reduce safe havens for ransomware actors.”

Russia – a notable absentee of the White House virtual meeting – has been accused of harbouring ransomware gangs with ransomware operators notoriously taking steps to avoid Russian computer systems by checking for Cyrillic keyboard layouts.

The US has already taken diplomatic steps against Russia for its actions in cyberspace, sanctioning the country for last year’s SolarWinds cyber attack by freezing assets of certain Russian IT companies, expelling 10 of the country’s officials, and barring US financial institutions from buying and selling Russian government bonds.