Representatives from the now 68 members of the International Counter Ransomware Initiative (CRI) are heading to the United States this week to discuss tackling one of the most significant cyber threats currently facing the world.
While the number of members attending the summit has more than doubled since the 30 it debuted with in 2021, the CRI’s efforts and annual pledges — including last year’s commitment to not pay ransoms — have failed to prevent attacks from also nearly doubling in that time, according to U.S. intelligence community numbers.
The fourth annual gathering will include “significant, major new deliverables” according to Anne Neuberger, the U.S. deputy national security adviser, who told journalists on Sunday that ransomware attacks continue to be seen as a “significant problem” by the White House.
Citing recent attacks on Change Healthcare, the Port of Nagoya, Synnovis and CDK, Neuberger explained that President Joe Biden’s approach was “when we have new challenges we need new purpose-built partnerships to address them.”
The summit in Washington, D.C., will include two days of meetings focused on ransomware, including meetings on coordinating disruption operations and the launch of a new fund to help countries affected by major cyberattacks, as first reported by Recorded Future News. A third day will focus on the nexus between artificial intelligence and cybersecurity.
While the initiative was praised by Neuberger as “the largest and most successful cyber partnership around the world, in terms of the number of counties and the breadth of the partnership,” there is little to suggest that it has yet effectively hobbled the ransomware ecosystem.
Laura Galante, the director of the cyberthreat intelligence integration center at the Office of the Director of National Intelligence (ODNI), told journalists that the U.S. intelligence community was seeing attacks continue to rise, with the figures in the U.S. itself almost doubling since the CRI was launched.
“From 2021 and into 2022, we saw yearly ransomware attack numbers in the 2,500 range. In 2022 we saw 2,593 attacks per year, then in 2023 we saw 4,506 attacks. Here in the first half of 2024, we’re tracking 2,321 attacks.
“And what this looks like to us is, we’ve seen a real jump in the number of attacks and proliferation of the type of infrastructure and tools that a variety of ransomware actors have been able to use,” said Galante.
Around half of all attacks globally affect the United States, according to Galante, with just over half of the remainder targeting victims in Europe.
While official figures for attacks are not routinely released — and officials repeatedly warn they don’t have good visibility over the scale of the problem — data published by Britain’s privacy regulator suggests attacks this year and last are likely to be double the count for the two years prior.
A very Russian problem
One of the more challenging aspects in tackling ransomware is the geopolitical angle, with Russia offering a haven to many of the criminals and organized crime groups perpetrating ransomware attacks.
The perpetrators “are mostly coming from Russia. They’re Russian individuals. They’re loosely affiliated, and they’re about to reconstitute and change their operations quickly,” said Galante.
The decentralized nature of the ransomware ecosystem has negatives and positives for those trying to undermine it, according to the U.S. officials.
“As we look at the attacks, we see three factors: the people; the infrastructure; and the cryptocurrency, the money that fuels them,” said Galante.
“Because so many of the individuals are Russia-based, disrupting the actors is very challenging. That’s the geopolitics of ransomware that makes this such a difficult problem,” added the ODNI official.
This means “there is no one operation that’s going to disrupt ransomware permanently. Instead, we have to increase the frequency and increase the breadth of these operations by taking down infrastructure regularly, designating the exchanges that are facilitating money laundering and ransomware activity regularly,” she added.
“What we see happens is most of these activities will have impact for some period of time, and because the incentives to continue ransomware attacks remain — largely because entities pay ransoms, we’ve seen progress … but still, too many entities are paying ransoms and each payment incentives the next attack. So as a result, because the incentives are still there, they have to keep doing the disruptions regularly.”
Neuberger added that the lack of a single, dominant group has been in the favor of defenders.
“Even with the most used ransomware tool, we’ll only see about 20-25% of the attacks come from one of those groups. So these disruption operations, especially the frequent cadence, does help keep any one group or any one specialization of toolsets from really holding on.”
This lack of market dominance “ is one of the ways that this [the ransomware ecosystem] has remained decentralized. Disruption operations have been really key to making this harder for certain groups to really get deeper and more specialized and mature, and makes the organizations a little bit more chaotic, which ends up being helpful because it takes more time for them to reconstitute and have successful operations in the future,” said Neuberger.