The Ransomware Task Force, a coalition of experts from across various cybersecurity companies and government facilitated by the Institute for Security and Technology, has shared a framework of actions on how to disrupt ransomware as a business model.

The paper, which notes that ransomware is no longer simply a financial crime but an urgent national security risk that threatens schools, hospitals, businesses and governments, offers 48 recommendations aimed at forming a comprehensive framework  to address ransomware.

At the top of the list, the framework states, coordinated, international diplomatic law enforcement efforts must proactively prioritize ransomware through a comprehensive, resource strategy. It also says the U.S. should lead by example.

Recommendation three states that governments should mandate that organizations report ransomware payments and require organizations to consider alternatives before making payments. Despite the fact that those behind the framework almost entirely involve U.S. cybersecurity companies and hence there’s al U.S.-focused bias, the U.S. Treasury Department said in October that paying ransomware demands could be illegal already. Outright banning the payment of ransom payments globally could arguably be the more clear solution.

There is one recommendation that perhaps unfairly targets cryptocurrency in a way that is arguably outright stupid. The framework claims that “the cryptocurrency sector that enables ransomware crime should be more closely regulated.”

It then goes on to say that governments should require crypto exchanges and others to comply with laws such as Know Your Customer, Anti-Money Laundering and Combating Financing of Terrorism laws. In the U.S., authorities already do. The U.S. Securities and Exchange Commission and Commodities Futures Trading Commission regularly takes action against any company it thinks is breaking laws. The idea that cryptocurrency as a whole is complicit in ransomware is strange proposition from a group that includes cybersecurity experts from well-regarded companies.

“Targeting the financial side of the equation will help quite a bit,” Tyler Shields, chief marketing officer at cyber asset relationship startup JupiterOne Inc. told SiliconANGLE. “That model is really focused on what happens after the breach and once the target has been compromised. At the end of the day, nothing will completely stop these attacks and we can primarily hope to raise the bar of difficulty to an unmanageable level.”

Dirk Schrader, global vice president, security research at information technology security and compliance software firm New Net Technologies Ltd., supports the overall idea.

“It was surely propelled by the recent developments with Emotet, which was used to drop various ransomware strains, and the takedown of web-shells, that the initiators of the task force do think they can make that move,” Schrader explained. “It will be more a question of convincing lawmakers across the globe to actually join that coalition, to work out or improve their own country’s legal frameworks, so that ransomware gangs can effectively be prosecuted or at least the market structure is changed so much that they get frustrated and leave that business.”

Image: Pixabay