Security experts have welcomed the proposals of a new ransomware report from big tech and law enforcers, but argued that tackling the menace must begin with improved cyber-hygiene.
Convened by the Institute for Security and Technology and trailed since last December, the Ransomware Task Force (RTF) is a team of over 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, and academic institutions.
It includes representatives from the FBI, Europol, the UK’s National Crime Agency and many of the world’s biggest tech companies including Amazon, Cisco and Microsoft.
Its framework document makes five key recommendations to tackle the cyber-threat. The most eye-catching of these is that governments require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading 'desks' to adhere to the same regulatory standards as banks. That means following anti-money laundering (AML), Know Your Customer (KYC) and Combatting Financing of Terrorism (CFT) laws.
Other recommendations include that the US government “execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.”
It emerged last week that a new Department of Justice taskforce will work to manage efforts across the federal government to disrupt C&C infrastructure, seize profits, coordinate training and intelligence sharing and more to try and disrupt ransomware groups.
The RTF also called for prioritized law enforcement efforts across jurisdictions and "a clear, accessible, and broadly adopted” international framework to help organizations prepare for, and respond to, ransomware attacks.
However, some security experts were skeptical about the RTF’s recommendations.
ImmuniWeb founder, Ilia Kolochenko, argued that even if cryptocurrencies were regulated, cyber-criminals would find ways to bypass regulations. Indeed, the current AML regulatory regime is widely seen to have failed.
“I’d rather suggest treating the root cause of ransomware: the widespread lack of basic cyber-hygiene,” Kolochenko argued.
“Even the largest organizations from regulated industries often fail to follow the basics: maintain an up-to-date asset inventory, implement risk-based and threat-aware security controls, perform continuous security monitoring and anomaly detection, conduct ongoing security training and awareness, maintain software and patch management programs, and to enforce centralized identity management.”
Others were more welcoming of the task force’s efforts, but agreed that organizations must do more from a corporate cybersecurity perspective.
“It is important for cyber-awareness training to be regular in the workplace, as only then will it build employee knowledge of security and educate them on the significant part they play in protecting the organization,” argued Mimecast’s head of e-crime, Carl Wearn.
“In the face of this increasing level of threat to all organizations, cyber-hygiene and user awareness training will be critical to maintaining security. Hopefully this news will help businesses to understand just how big of a threat ransomware is.”
Fedor Sinitsyn, security expert at Kaspersky, explained that the ransomware landscape had fundamentally changed over the past year, putting enterprises in the crosshairs.
“The primary focus will likely continue to be on companies and large organizations, and that means ransomware attacks will continue to become more sophisticated and more destructive,” he added. “It’s imperative that businesses adopt a holistic, comprehensive set of security practices to protect their data.”