people working together in a task force

International taskforce sets out to disrupt ransomware

The second international Counter Ransomware Initiative (CRI) summit took place at the end of October, in Washington, DC. Representatives from 36 countries and the European Union met in to strategize ways to combat ransomware.

A combination of two things could bring ransomware to a halt, if they could be deployed successfully. If no ransoms were paid, and if no countries provided a safe haven for ransomware operators, the gangs would run out of money and have nowhere to hide.

Unfortunately, neither seems likely to succeed in the near future. Organizations that see paying the ransom as their only way out of an attack will pay, if the law allows it, and Russia and the Commonwealth of Independent States are a safe haven for ransomware, provided the ransomware gangs don’t attack inside their borders. Diplomatic cooperation with Russia is at a low at the moment and progress here seems fanciful.

According to a Treasury Department analysis released on 1 October, 2022, three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021 were created in Russia.

In response, the CRI summit agreed to create an International Counter Ransomware Task Force (ICRTF), whose goal is to “coordinate resilience, disruption, and counter illicit finance activities.” The idea seems to be that, if we can’t stop organizations from paying, then we can at least try to minimize the number of infections, increase the pressure on ransomware operations, and try to intercept or recover payments.

The CRI will begin by testing “a scaled version” of the ICRTF under Lithuania’s leadership, at the country’s Regional Cyber Defense Centre (RCDC). Data provided by participating members will be aggregated and summarized by the RCDC.

Through the course of the Summit, CRI partners also committed to focus on a few specific areas:

  • Payments. Members plan to build their blockchain tracing and analytics capabilities (so they can track ransomware payments), to share information about cryptocurrency wallets used for laundering extorted funds, and to share information between the public and private sectors.
  • Prevention. The CRI plans to “pursue the development of aligned frameworks and guidelines”, to help countries prevent and respond to ransomware, with a focus on essential services and critical infrastructure.
  • Diplomacy. The CRI sees international diplomacy as a tool for increasing the political cost on “countries that harbor and enable ransomware actors.”

Will it all work? It might. The wheels of government and international cooperation move slowly though. The ransomware ecosystem seems as active and dangerous in 2022 as it ever has been, but there are glimmers of hope. Gangs like REvil and DarkSide have been successfully disrupted or chased away by bold law enforcement action, and Conti, arguably the most dangerous ransomware gang of all, was brought to its knees in May by US anti-sanctions laws.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.