No more ransom: CRI makes non-ransomware payment statement

March 2024  |  FEATURE | RISK MANAGEMENT

Financier Worldwide Magazine

March 2024 Issue

In the pantheon of cyber attacks, ransomware is among the most dangerous and destructive. This malicious software, a type of malware, is particularly odious in that it infects and paralyses businesses’ computer systems, generally leading to large ransom demands.

Using anonymous cyber coins such as bitcoin, attackers provide their target with detailed instructions on how to make payments and then cash out with virtually no risk to themselves. Large-scale attacks have many victims, and a significant percentage of those do decide to pay the ransom.

Ransomware attacks have also been increasingly pervasive in recent years. According to Astra Security, there has been a 13 percent increase in ransomware attacks over the past five years, with the average cost of such an attack $1.85m. Statistics also reveal that a ransomware attack will occur every two seconds by 2031.

“Ransomware attacks are incredibly prevalent and increasing at an alarming rate,” says Steven Farmer, a partner at Pillsbury Winthrop Shaw Pittman LLP. “It is very difficult to confirm how many organisations pay the ransom with accuracy. Those doing so typically want control over systems and data to be returned, and for the entire incident to end with zero publicity.

“Statistics in the public domain are, therefore, unlikely to be entirely reliable,” he continues. “Some reports indicate the number of companies paying might be as high as 80 percent-plus, which, while high, one would guess is within the ballpark.”

Joint statement

In an attempt to tackle ransomware attacks, and particularly the payment of ransoms, in November 2023, members of the Counter Ransomware Initiative (CRI) – an international initiative comprising 48 countries, the European Union and Interpol, with the US and the UK prominent members – signed a statement publicly denouncing ransomware and those who perpetrate such devastating attacks.

The CRI focuses on partnerships and information sharing to bolster collective security against ransomware threats.

Upon its inauguration, the stated aims of the CRI were to “undercut the viability of ransomware and pursue the actors responsible, countering illicit finance that underpins the ransomware ecosystem, working with the private sector to defend against ransomware attacks, and continuing to cooperate internationally across all elements of the ransomware threat”.

In order to do this, the CRI focuses on partnerships and information sharing to bolster collective security against ransomware threats. It has also committed to collectively addressing its approach to ransomware payments to undermine the ransomware business model and disrupt criminal activity, pledging that it will not tolerate the extortive actions of these cyber criminals who too often act with seeming impunity.

Thus, in its joint statement, believed to be the first international statement, the CRI “strongly discourages” any organisation from paying a ransomware demand. “Each of us intends to lead by example,” the statement affirms. “We have reached consensus that relevant institutions under the authority of our national governments should not pay ransomware extortion demands.”

The joint statement also declares that paying a ransom to ransomware actors: (i) does not guarantee the end of an incident, or the removal of malicious software from an organisation’s systems; (ii) provides incentives for criminals to continue and expand their activities; (iii) provides funds that criminal actors can use for illicit activity; and (iv) does not guarantee organisations that their data will be returned.

“Fundamentally, companies paying ransom demands are ultimately funding the ransomware industry,” asserts Mr Farmer. “Taking a collective stand is designed to cut off the malicious actors’ oxygen – which, one would hope, would reduce the frequency of incidents.

“Another key driver is that payment of a ransom does not guarantee any successful outcome to the payor – if anything, it might lead the malicious actor to simply make further demands,” he continues. “The CRI statement advances the conversation and includes a declaration that members of the CRI will not pay ransom demands and will assist CRI members with incident responses.”

Stemming the tide

The extent to which the CRI’s statement of discouragement will stem the tide of ransomware attacks of course remains to be seen. For the moment, however, the initiative has an immediate role to play: to underline the importance of a ransomware response in organisations’ cyber preparedness plans.

“Agreeing not to pay demands should theoretically reduce the appetite of bad actors and therefore the prevalence of ransomware attacks,” says Mr Farmer. “However, the reality is that organisations locked out of their system and facing a demand may still proceed to pay when the stakes are high.

“The frequency of attacks underlines the importance of ransomware defence strategies in an organisation’s cyber preparedness plan,” he concludes. “Ransomware attacks are a reality of doing business and all organisations should expect the worst and be prepared for that, regardless of size.”

© Financier Worldwide

BY

Fraser Tennant

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.