Ransomware can be defeated, but it won’t be quick, easy, or cheap.
That’s made clear by “Combating Ransomware: A Comprehensive Framework for Action,” which was published today by the non-profit Institute for Security and Technology’s Ransomware Task Force (RTF). Formed early this year, the group assembled a collection of experts from the public and private sectors to prepare a blueprint for combatting a global scourge doing billions of dollars’ worth of damage at out-of-control rates. Indeed, ransomware incidents were up 485% in 2020 versus the prior year, according to recent research from security vendor Bitdefender.
The RTF’s 81-page report, which took three months to prepare, describes 48 ambitious recommendations spanning four critical goals: deterring future attacks, disrupting the business model that makes attacks profitable, helping potential victims prepare for attacks, and responding to attacks more effectively. Many of those measures call for national and even international coordination.
“It’s an acknowledgement that the problem is getting so pervasive and the impacts are getting so monumental that it’s starting to have real impacts on national security, public health, and safety, and that we can’t really treat this as a private industry problem anymore,” says Ryan Weeks, chief information security officer at Datto and a contributing member of the task force. “We really need to start treating it like the global, massive problem that it is.”
To get a sense for just how massive he means, consider the report’s five highest-priority recommendations:
- Coordinated international diplomatic and law enforcement efforts.
- A sustained anti-ransomware campaign specifically in the U.S., led out of the White House.
- Allocation of government funds to support ransomware response activities and cybersecurity programs.
- Adoption of an industry standard anti-ransomware framework that IT providers, governments, and businesses can use to prepare for and respond to attacks.
- Tighter regulation of cryptocurrency exchanges, kiosks, and trading desks.
“We really looked at the entire ransomware ecosystem from 360 degrees and said, ‘what are some recommendations that we can make to the governments and to private institutions that could really start to really make a dent in this ecosystem,'” Weeks says. All of them, he acknowledges, will take years of effort to accomplish.
Several, moreover, apply directly to MSPs, 95% of whom say they’re increasingly being targeted by ransomware and 78% of whom have experienced attacks against SMB clients in the last two years, according to Datto’s latest Global State of the Channel Ransomware Report. Those include the creation of a threat intelligence clearinghouse along the lines of the information sharing and analysis organization launched by CompTIA last summer. Other proposed measures, however, would be less voluntary.
“That was kind of inevitable given some of the high-profile state and local government hacks that have occurred leveraging MSPs and MSP technology stacks,” Weeks notes.
To ensure every MSP complies with minimum ransomware mitigation standards, the RTF endorses mandatory adoption of a “cyber-hygiene program” such as CIS Controls Implementation Group 165 or the NIST Cybersecurity Framework, as well mandatory disclosure by MSPs of ransomware incidents involving customers. The government funds recommended by the report, its authors note, could be used to underwrite the cost of complying with those rules.
The report doesn’t explicitly recommend putting government agencies in charge of drafting and enforcing those mandates, however, Weeks notes. As other leading-edge proponents of industry regulations have suggested, there’s still time for MSPs themselves to put compulsory requirements in place.
“The MSP industry has an option,” Weeks says. “We can self-organize around this problem now, or we can be told what we need to do in the future.”
Either way, he adds, government participation will be an essential part of winning the war on ransomware. “A lot of the initiatives start there, just because the ability to coordinate globally is more feasible at that level than it is for private institutions.” The RTF report specifically recommends collaboration between a U.S. government “Joint Ransomware Task Force” much like the unit established by the Biden administration last week and a collaborative, private industry-led “Ransomware Threat Focus Hub”.
Though the latter group might end up including RTF members, Weeks speculates, the RTF itself has closed up shop.
“We’ve accomplished our objective,” Weeks says. “We have the report. We’ve made the recommendations.” Now it’s up to the Institute for Security and Technology and the policy makers it advises to turn those recommendations into actions.