Key Insights from the International Counter Ransomware Initiative Statement
By Todd Thorsen, Chief Information Security Officer, CrashPlan
Earlier in November, media outlets widely reported the contents of a remarkable joint statement. The International Counter Ransomware Initiative (CRI), comprising 40 countries, declared that they would no longer pay ransom to bad actors. In the same policy statement, CRI also agreed to create a shared blacklist of wallets used by ransomware actors and help any of their members respond in the event of a ransomware attack. In addition to these strong stances against ransomware, the coalition also welcomed 13 new members this year. All this signals that ransomware is looming large as a global concern for several states — and that there is a genuine interest in developing strong, consistent international policy responses to a growing problem.
The problem is real. From 2019 to 2022, the number of ransomware attempts worldwide went from 187 million to 493 million, according to Statista. Moreover, Corvus’ Q3 2023 Global Ransomware Report noted that global ransomware attack frequency went up 95% in the last year. Against this backdrop, CRI’s statement, and the other actions it’s taken, are a step in the right direction. Somebody needs to do something.
The silver bullet
But an international pledge is unlikely to be the silver bullet CISOs are still looking for. Or, at least, not this particular international pledge as it currently stands. While symbolically powerful with some good initial steps in the agreement aimed at monitoring and sharing at the nation-state level, it does not include actionable guidelines for the organizations on the front lines. At the very least this serves as a barometer highlighting the level of global concern around ransomware, but it remains to be seen how effective this pledge will be at disrupting payments mechanisms for ransomware actors and whether these actions will reduce the number of ransomware attacks. The pledges’ challenges are common to anyone who follows international policy: these things move slowly with too many caveats and exceptions. The pledge of course only covers the National level, and even then, it allows for exceptions to the refusal to pay ransoms in the event of emergency situations. And when is ransomware ever not an emergency situation?
The main utility of CRI’s statement is that it’s opened once again, on a global scale, a conversation around data security and resiliency. This is helpful because it invites us to consider our current practices and fundamental assumptions around how we protect our data. We desperately need this conversation, because in my view we’re thinking about it all wrong.
Prevention itself isn’t enough
Most organizations tend to think about ransomware attacks in terms of prevention — how to stop them from happening in the first place. Huge swathes of cybersecurity budgets are spent trying to build digital walls high enough that no bad actor can ever get across. This isn’t a bad practice — preventive measures are important — but they are not infallible. What happens when ransomware is successful? Response time is important, but no matter how fast you respond to a successful ransomware attack or breach, you still must work to undo the damage caused and this is why having resiliency and recovery capabilities comes into play.
It’s time for more conversation on this point. Not because the answer is particularly elusive, or profound, but rather because it’s right under our nose, and insufficiently discussed: Backup and recovery strategy. It’s frustrating that this is often seen as a nice-to-have when, in fact, it is really a fundamental aspect of your defense-in-depth strategy. More than anything else, including legislation, international agreements, policy positions, a sound backup and recovery strategy has the greatest potential to greatly reduce the impact of ransomware and bad actors.
The power is within backup and recovery
Ransomware is a problem, but there is a solution. Did you know that just over 50% of businesses have a backup and recovery plan? Having a sound backup and recovery strategy with purpose built backup and recovery tools for your critical data and systems can take all the power away from ransomware actors — if you are impacted by a ransomware attack, you don’t have to think through whether or not you need to pay to get your data back, you already have the ability to recover it from your encrypted, immutable and isolated backups.
Every CISO and security practitioner should take the CRI’s pledge as an opportunity to reinforce the seriousness and impact of ransomware with their boards and leadership within their organization and have a risk discussion based on the organization’s control environment highlighting any gaps in your data resilience and recovery posture. Simply having a working backup and recovery can greatly reduce the risk associated with ransomware, not to mention non-malicious and accidental data loss scenarios. Like I said, having preventative measures in place is important as we all know, but it is equally important to have data resilience and recovery capabilities in place to protect your sensitive data when bad things happen. So, my ask is this…do yourself and your organizations a favor and take a fresh look at your data resilience and recovery capabilities, if you don’t have a plan, create one; if you don’t have the capabilities to recovery critical data implement them or share this information with your leaders and Board members and initiate risk-based discussions and options to address gaps in your capabilities.
While the CRI’s pledge is a positive step, I’m certainly not waiting for them to solve the ransomware problem. But I’m hopeful that all the energy and attention it’s generated will compel companies to take a hard and objective look at their data resilience and recovery capabilities and plans and take action to address any gaps. In doing so, you are taking control and changing the narrative around the impact of a ransomware attack on your organization.
About the Author
Todd Thorsen is the Chief Information Security Officer of CrashPlan. He brings more than 15 years of information security experience across various disciplines. Todd has a proven track record of building and leading security programs focused on global security operations, risk and compliance, incident response, resilience, and data protection. He can be reached online on LinkedIn and through the company website at www.crashplan.com.