Amidst encouraging signs that the global anti-ransomware effort may well be working, Australian cyber security experts are helming a global anti ransomware task force that has unified authorities in 37 countries in an effort to stamp out the “insidious” threat.

Having been agreed upon at an international meeting at the second annual CRI Summit in November, the newly created International Counter Ransomware Task Force (ICRTF) is designed to support the United Nations framework for responsible state behaviour in cyberspace.

It outlines four key objectives – including holding ransomware actors accountable and denying them safe haven; implementing ‘know your customer’ (KYC) and other anti money laundering (AML) policies for virtual assets; disrupting and prosecuting ransomware gangs under local laws; and sharing information “to ensure national cyber infrastructure is not being used in ransomware attacks.”

Australia led the CRI working group on disruption and was appointed the inaugural chair of the ICRTF at that meeting, putting it in charge of a range of initiatives including the establishment of a ‘fusion cell’ centre of expertise at Lithuania’s Regional Cyber Defense Centre (RCDC) that will, among other things, aggregate and publish cyber attack data from ICRTF members.

The group will also focus on deliverables including accumulating collective knowledge to develop a ransomware investigator’s toolkit; publishing joint advisories sharing known details of ransomware gangs’ tactics; techniques, and procedures (TTPs); coordinating efforts to take down priority “hard and complex targets” with the assistance of law enforcement groups; and running biannual counter ransomware exercises to bolster the international response.

Recent cyber incidents in Australia and around the globe are a stark reminder of the insidious nature of ransomware, and the ability of cyber criminals to cause widespread disruption and harm to broad sections of the community,” Minister for Home Affairs and Cyber Security Clare O’Neil said in announcing the commencement of the ICRTF’s activities.

In Australia, the ICRTF will complement existing activities including the 100-strong joint Australian Federal Police (AFP) and Australian Signals Directorate (ASD) established late last year to combat what O’Neil called cyber “scumbags” holding businesses and governments to ransom.

With a stated objective of making Australia “the world’s most cyber secure country by 2030”, the government has taken an increasingly aggressive stance against cyber criminal activity – including launching a formal Ransomware Action Plan, overhauling its Cyber Security Strategy, and boosting data breach fines to ensure companies play an active role in swatting down malicious actors.

Ransomware getting better at last?

Australia’s relative wealth and sub-par security have long made it a favoured target of ransomware gangs, although newly released figures suggest that global pushback against the criminals may finally be getting traction.

Newly released figures from Chainalysis’s latest annual crypto crime report suggest that payments to ransomware-linked crypto accounts “are significantly down” – from $1.2 billion ($US766 million) in each of 2020 and 2021, to just $710 million ($US457 million) last year.

The decline, Chainalysis believes, is because a growing number of companies are refusing to pay the ransoms demanded of them – suggesting that growing enforcement, clearer policies, and better anti-ransomware solutions are turning the ransomware tide.

And while the figures don’t necessarily mean the number of ransomware strains has decreased, Chainalysis said those strains are remaining active for much less time – 70 days last year compared with 153 days in 2021, and 265 days in 2020 – as attackers scramble to “obfuscate their activity”.

Despite the large number of ransomware strains seemingly in existence at any one time, Chainalysis noted, “the actual number of individuals who make up the ransomware ecosystem is likely quite small”.

That could make life easier for the ICRTF, whose focus on priority targets could make it easier to effect dramatic reductions in ransomware volumes by taking out a few key ransomware gangs.

The 37 founding countries of the ICRTF include most European member states as well as the US, Canada, UAE, South Korea, Japan, Singapore, Ukraine, Israel, Brazil, Dominican Republic, Mexico, Kenya, Nigeria, South Africa, Australia, and New Zealand.

But that’s just the beginning, O’Neil said, reinforcing the importance of increasing numbers to ensure ransomware gangs have nowhere to hide.

“Ransomware represents a global threat,” she said, “and Australia calls on other nations to be part of this global initiative to support effective detection, disruption and prosecution of cyber criminals who use ransomware for financial and other gain.”