New CRI Guidance Discourages Ransomware Payments, Focuses on Alternative Options

by | Oct 11, 2024

The Counter Ransomware Initiative (CRI) has produced new guidance on ransomware payments that does not contain any big surprises, maintaining that victims should avoid payments and consider all alternatives before paying. The advice also outlines how organizations should incorporate this approach into their response plans, something that those with less cybersecurity experience may find helpful.

Ransomware payments continue to be common despite advice

The general advice to organizations, from both governments and private sector security, is to try hard to avoid making ransomware payments and turn to it only as a last resort. In spite of years of this advice, ransomware gangs are still doing very well for themselves. The total payment amounts topped $1 billion USD globally last year, which is a new record.

This reflects the level of business disruption that can be expected when a ransomware attack strikes, with many organizations seemingly still feeling that they have no viable alternative but to make ransomware payments and hope for the best. This perspective is not ill-founded, as even when an organization is fully prepared with backups and a thorough response plan it can still see days to weeks of critical revenue loss as it scrubs and restores all of its systems.

The new CRI guidance does not call for a shutdown of ransomware payments, but does encourage victims to get in touch with law enforcement as soon as possible even if they intend to make a payment. This can lead to more efficient tracking of the payments and possible recovery of at least some of the money.

CRI guidance reflects government and insurer perspectives

Ransomware payments have yet to be banned in the 38 countries that endorse CRI’s guidance, though Australia’s legislators have been mulling the idea for over a year now. The advice thus reflects the status quo for the most part, with CRI instead focusing on exactly what alternatives organizations have and in how to incorporate them into readiness plans.

Though ransomware payments are still by-and-large legal, CRI takes the thorough approach in advising organizations to ensure they are up to date on the applicable legal and regulatory environment they are in. A review is not a bad idea for critical infrastructure firms, however, given that they have rapidly been subject to new and tighter cyber incident regulations in the US and elsewhere.

What should organizations be doing, at least according to the CRI guidance? One good starting point is to have updated contact information available for all experts and stakeholders that need to be contacted in event of a ransomware attack, something that should be incorporated into the recovery plan to reduce delays. Organizations might also want to list out the key considerations that must be addressed in the immediate wake of detection, including the specific factors that influence the decision to make a payment.

This process is more complex for some industries than for others. For example the financial, medical and industrial sectors are almost always under tighter regulation than others and must consider a greater degree of real-world harm to customers and staff. And as recent changes in the US have demonstrated, critical infrastructure firms are increasingly being expected to consider national security issues.

Recent Posts

How can we help?

1 + 13 =

× How can I help you?