The U.S. government and dozens of foreign allies have pledged never to pay ransom demands in a bid to discourage financially motivated hackers and ransomware gangs profiteering from cyberattacks.
The joint pledge was announced during the third annual meeting of the International Counter Ransomware Initiative, or CRI, a U.S.-led cyber coalition that aims to enhance international cooperation to combat the growth of ransomware. The CRI includes 48 countries, as well as the European Union and Interpol, making it the largest cyber partnership in the world.
The first-of-its-kind joint pledge, detailed by U.S. deputy national security advisor Anne Neuberger during a call with reporters on Monday, resulted in dozens of members signing a policy statement declaring that their governments would not pay ransom demands. The pledge stops short of banning companies from making ransom payments, which the U.S. government has long warned could inadvertently create opportunities for further extortion by ransomware gangs, but Neuberger says that the initiative will aim to “counter the illicit finance that underpins the ransomware ecosystem.”
Ransomware attacks remain at an all-time high given the majority of victims continue to pay ransoms which fund the hackers behind these cyberattacks. Data from blockchain analysis firm Chainalysis shows that victims paid ransomware groups $449 million in the first six months of this year. If this pace continues, the total figure for 2023 could reach almost $900 million, making 2023 the second-most profitable year for ransomware actors after 2021, according to Chainalysis.
Not all of the 48 CRI member governments have yet agreed to the anti-ransom payment pledge, Neuberger said, though it’s not yet known which governments have signed up.
“This was a really big lift, and we’re in the final throes of getting every last member to sign,” Neuberger said. “But we’re pretty much there, which is exciting.”
Full details of the joint pledge, which are still being finalized, have not yet been announced. The White House has not yet said how member states will be held accountable to their pledge, or what consequences they face, if any, if they make a ransom payment.
Ransomware and extortion gangs have targeted several governments in recent years, including Montenegro and Costa Rica, as well as U.S. government systems and critical infrastructure. In 2021, U.S. energy giant Colonial Pipeline paid $5 million to hackers who broke in and deployed ransomware. The cyberattack prompted the company to shut down its pipelines, causing major disruptions to gas supplies across the U.S. east coast.
During Monday’s call, Neuberger said that ransom payments not only fuel future attacks but also don’t guarantee the safe return of stolen data — or that all copies of the have been erased. Data provided to the U.S. government by ransomware negotiators shows that companies with good backups are able to recover “far more quickly” than companies that pay a ransom.
“Paying a ransom not only encourages ongoing ransomware attacks, it also is not necessarily the fastest way to recover,” said Neuberger. “Do those backups and do the basic cybersecurity practices that we know make a difference.”
The CRI on Tuesday also announced several additional measures designed to improve its members’ ability to fight back against ransomware attacks. This includes a shared denylist, which will include information on digital wallets being used to move ransomware payments and two new information-sharing platforms to help members quickly share data about ransomware operators, their tools, and their techniques with their foreign allies.
“If one country is attacked, others can quickly defend against that attack,” Neuberger said on the call with reporters.
Members of the initiative will also use artificial intelligence to analyze blockchains to help identify ransomware payments flowing through cryptocurrency platforms.