The Biden-Harris Administration remains committed to fostering international partnerships to disrupt the global scourge of ransomware. This week, the White House convened the International Counter Ransomware Initiative (CRI) for its fourth meeting in Washington, D.C. During the four-day event, the Initiative's nearly seventy members discussed methods to counter ransomware attacks in the healthcare industry, collaboration with cyber insurers and the private industry to reduce ransomware payments and increase incident reporting, the security of our critical infrastructure and Internet of Things (IoT), efforts to increase the capacity and incident response capabilities of members, and best practices to counter the flow of money through virtual assets that motivates ransomware actors.
This year, the Initiative welcomed 18 new members-Argentina, Bahrain, Cameroon, Chad, the Council of Europe, Denmark, the ECOWAS Commission, Finland, the Global Forum on Cyber Expertise, Hungary, Morocco, the Organization of American States, the Philippines, the Republic of Moldova, Slovenia, Sri Lanka, Vanuatu, and Vietnam-who participated in the gathering along withAlbania, Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Colombia, Costa Rica, Croatia, the Czech Republic, the Dominican Republic, Egypt, Estonia, the European Union, France, Germany, Greece, India, INTERPOL, Ireland, Israel, Italy, Japan, Jordan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Papua New Guinea, Poland, Portugal, the Republic of Korea, Romania, Rwanda, Sierra Leone, Singapore, Slovakia, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Arab Emirates, the United Kingdom, the United States, and Uruguay.
At the gathering, CRI members advanced the Initiative's commitments to resilience, cooperation, and disruption through the CRI's Policy Pillar, Diplomacy and Capacity Building Pillar, and the International Counter Ransomware Task Force (ICRTF). The Initiative launched a new Public-Private Sector Advisory Panel, led by Canada, establishing a trusted set of private sector partners for CRI members to rely on when faced with responding to ransomware attacks.
The CRI Policy Pillar
Under the leadership of Singapore and the United Kingdom, the Policy Pillar oversaw several projects focused on policy areas impacting ransomware. The Pillar developed policy guidance, with support from France, the Netherlands, and Kenya, to minimize the overall impact of a ransomware incident on an organization. France and the Netherlands led a project on cyber insurance, and facilitated a workshop for insurers to discuss how the insurance sector could support companies during a ransomware incident and increase their insurance accessibility. Under the auspices of the Pillar's workplan, Australia released an international 'Ransomware Playbook' providing guidance to businesses on how to prepare for, deal with, and recover from a ransomware or cyber extortion attack. Switzerland and the United States led an incident reporting project, sharing best practices on mandatory reporting, factors to consider during implementation, outlining key information to provide at the first instance of a ransomware attack. Albania led a project to enhance implementation of the Financial Action Task Force's (FATF) Recommendation 15 on the regulation of virtual assets and related services providers, which will help stem the illicit flow of funds and disrupt the ransomware payment ecosystem that fuel the ransomware industry. The US and UK completed a project on secure software and labeling principles, producing a report that summarizes the most common software vulnerabilities and misconfigurations that lead to ransomware attacks, and provided actions for software manufacturers to take to address them. The UK and Singapore also led a simulation exercise focused on enhancing members' policy and operational coordination during a ransomware attack in the healthcare sector.
In 2025, the Pillar plans to advance policies to reduce ransomware payments globally, enhance incident reporting frameworks, explore how partnerships with cyber insurance industry can assist in countering ransomware, and raise the overall cybersecurity posture against ransomware attacks through cybersecurity standards and best practices.
The CRI Diplomacy and Capacity Building Pillar
The Diplomacy and Capacity Building Pillar, led by Germany and Nigeria, expanded the CRI's reach by adding eighteen new members to the coalition and incorporating capacity building efforts throughout all CRI efforts. Among the Pillar's substantial contributions was a project taking stock of CRI members' capacity building assets and needs, continued support for the mentorship and onboarding program, and the promotion of the CRI to potential new members. Throughout the coming year, the Pillar will further elevate the initiatives' global profile and set out to leverage existing capacity building initiatives to provide opportunities to members and help bridge their capacity gaps.
The International Counter Ransomware Task Force (ICRTF)
ICRTF, led by Australia and Lithuania, developed an INTERPOL-led comparative report analyzing Ransomware Interventions and Remediation in CRI members' jurisdictions. Australia, in their role as ICRTF co-chair, launched a website and member portal for the CRI to share information and best practices between members as well as foster collaboration.
Advancing the Initiative through Action
Together, members of the CRI took bold new actions to further advance the initiative, including:
- Establishing the CRI Fund: The United States launched a new fund that will strengthen members' cybersecurity capabilities through both rapid assistance in the wake of a cyber attack as well as targeted support to improve cybersecurity skills, policies, and response procedures. The Fund will be supported through contributions from CRI members and private sector partners.
- Guidance for Victim Organizations: This guidance, endorsed by CRI members and insurance bodies, offers a practical guide to help organizations experiencing a ransomware attack. Building on last year's CRI statement on ransomware payments, the guidance underscores the important role cyber insurance can play in helping to build resilience to cyber attacks and highlights actions organizations should explore during an incident, aiming to reduce disruption and cost, the number of ransoms paid, and the size of ransoms paid. The ultimate goal is to minimize the overall impact of a ransomware incident on an organization.
- Private Sector Engagement Working Group (PSEWG): Canada developed a Public-Private Sector Advisory Panel to advise and support CRI members in combating ransomware. The advisory panel will catalyze effective information sharing, build trust through clear expectations and person to person collaboration, and develop best practices to navigate practical hurdles.
- Responsible Behavior in Cyberspace: The ICRTF called on members to join a statement that calls for responsible behavior in cyberspace and encourages members to hold bad actors accountable and deny them safe haven using all of the cyber diplomacy and law enforcement tools at their disposal. The CRI continues to call for responsible behavior in cyberspace and encourage members to call out malicious acts.
- Artificial Intelligence to Counter Ransomware: The CRI hosted its first-ever event dedicated to examining the use of AI to counter cyber attacks. Topics of discussion included the use of AI to track threat actor use, AI for Software Security, AI systems to ensure the security of critical infrastructure to include healthcare networks, and tools such as watermarking to counter disinformation.
- Information Sharing: Many members are now using CRI's information sharing platforms developed by Belgium, Israel, Lithuania, and the UAE to quickly share intelligence related to ransomware attacks, attack tactics, techniques, procedures, and indicators of compromise. Additionally, a CRI website developed by Australia includes a forum for members to easily request assistance from CRI members.
- Building Collective Cyber Resilience: The implementation of secure software and labeling principles are important preventive measures against ransomware actors gaining access to data, related services, and connected infrastructure. CRI members were encouraged to take a coordinated, multi-national approach to developing a plan to institute secure software and labeling principles, including mapping existing cybersecurity requirements, and regulations, standards and guidelines for IoT devices. Recognition and implementation of such standards and schemes by multiple countries will set the foundation for global initiatives that enhance our collective resilience against ransomware and cyber attacks.
- Enhancing Cybersecurity of Supply Chains: The United States Department of Energy facilitated a panel discussion with executives from eight critical infrastructure equipment manufacturers to educate CRI members on the new U.S. supply chain cybersecurity efforts: GE Vernova, Hitachi Energy, Honeywell, Rockwell Automation, Schneider Electric, Siemens, Siemens Energy, and Westinghouse Electric Company. This session provided an opportunity for the United States to demonstrate leadership in developing the Supply Chain Cybersecurity Principles, released in June with support from industry partners, while inviting international participation in coordinated efforts to advance the principles throughout the global supply chain.