The United States, EU members and select other countries (some 40 in total) have reached a formal agreement to refuse ransomware payments demanded of government agencies. While this is already standard policy for national governments, the pledge could prove interesting if it develops into added pressure on state and local government agencies.
At present, this has no impact on private organizations or companies. In addition to the US and EU nations the pledge has thus far been signed by Australia, Canada, India, Israel, Japan, and Singapore.
International counter ransomware initiative conference touches on intel sharing, AI defenses
In addition to the pledge to forego ransomware payments, the annual conference (now in its third year) touched on AI blockchain analysis techniques to track payments and the use of a shared crypto wallet blacklist that will be maintained and circulated by the US Treasury Department. The AI talk is in its extremely early stages, with no specific plans proposed or agreements reached.
The governments did also agree to a new information sharing plan involving ransomware payments and crypto movement, however. Two platforms are to be built, one by Lithuania and the other a joint effort between Israel and the UAE, and used as a centralized source on the financial information of known cyber criminals.
Ransomware and data extortion gangs have been showing an increasing interest in smaller, more poorly defended government agencies in recent years. This consists of the national systems of smaller countries, and the cities and localities of larger nations. The common theme is that these agencies struggle with IT budgets and ability to hire an adequate level of personnel, and consequently have predictable vulnerabilities (such as backlogs of necessary patches that no one gets to).
These smaller entities are also much more likely to make ransomware payments to make the problem go away. There are relatively few prohibitions on it at the state and locality level at present, although several US states have banned assorted types of government agencies from making payments.
Poorly prepared localities, small national governments feel pressure to make ransomware payments
Numerous US municipalities have made ransomware payments in the last few years, and not all of them have been small areas. One of the larger victims, the city of Baltimore, illustrates why municipalities often make this decision. Baltimore was initially approached for a Bitcoin ransom equivalent to about $76,000, which it refused; it then spent months and an estimated $18 million in cleanup from the attack.
The US and most of the other pledge signatories continue to allow private entities to make ransomware payments, but usually with a recommendation against it and a requirement that they notify an appropriate law enforcement agency. The debate is becoming no less complex as insurers increasingly refuse to provide full ransomware coverage and demand that applicants demonstrate certain levels of cybersecurity readiness to even obtain a policy.
The ransomware conference concluded with mention that these are just initial steps in the battle against international cyber criminal gangs, and that the intended long-term strategy is to totally dismantle their financial support systems and render their tactics obsolete.