The U.S. National Security Council (NSC) is urging the governments of all countries participating in the International Counter Ransomware Initiative (CRI) to issue a joint statement announcing they will not pay ransoms to cybercriminals, according to three sources with knowledge of the plans.
CRI’s 47 members will convene in Washington for its annual summit on October 31, according to public comments from NSC officials. At least one of the three sources said the White House’s goal is to have the statement in place before the summit. However, it is unclear if that timeline will be possible given the evolving nature of the effort.
The statement would apply to the participating governments themselves, not to companies and other organizations.
The CRI launched in 2021 with 31 members and added more as nation-state ransomware victimization has drawn more attention. Costa Rica’s government was paralyzed after it refused to pay a $20 million ransom to a Russian hacking collective in April 2022.
The National Security Council declined to comment.
Cybercrime experts interviewed by Recorded Future News called the proposed document an important step in the fight against ransomware, which they noted is only made more pervasive when victims pay up.
“Governments should be setting an example by never paying,” said Allan Liska, a threat intelligence analyst at Recorded Future. The Record is an editorially independent unit of Recorded Future.
Liska said ransom payments not only enhance the capabilities of cybercrime groups, but they also can finance other bad behaviors. World leaders should consider the “nebulous nature” of the gangs, some of which could be funneling extortion money to a sanctioned group or nation-state, he said.
Not all experts were in favor of the plan, however. Prominent white-hat hacker Marc Rogers expressed concerns about the White House’s approach, saying that while “tectonic level” events such as the Costa Rica ransomware attack draw support from the U.S. and other wealthy nations, the majority of ransomware attacks hit small and medium size organizations, including in governments, and these episodes do not lead to “boots on the ground.”
Instead of pressing countries to agree not to pay ransoms, Rogers said more focus should be placed on helping less well-equipped governments improve their cyberdefenses, particularly since ransomware attacks often exploit cyber vulnerabilities which are relatively easy to address.
“If they use the same energy to get all these countries together to attack cyber-hygiene issues and close the gap, you would actually have a measurable impact on ransomware,” Rogers said. “Whereas I don’t believe you will with this.”
Not every payment is public
While no national governments have publicly acknowledged paying a ransom, Brett Callow, a threat analyst and ransomware expert at Emsisoft, said he would be very surprised if none have.
Because of the secret nature of many ransomware payments it is difficult to know if a victim complies with attackers’ demands — a factor that may make it hard to assess whether countries remain committed to CRI’s planned statement over time.
Callow, who praised the White House’s plans, said that while not extending the statement to include private sector companies makes it less significant, “every little bit counts.”
“The more we do to stop the flow of cash into the ransomware ecosystem, the better,” he said.
Costa Rica’s experience shows that politics can play a role in a government’s decision, too. At an appearance at the Center for Strategic and International Studies (CSIS) late last month, Costa Rican President Rodrigo Chaves said that while paying a ransom would have required legislation, he would not have done so even if he had had the option.
Still, his country paid a price, he said, recounting how once he declined to pay $20 million to the now-defunct Conti gang, it launched waves of attacks which devastated the country.
“We were attacked, affecting the backbone of the functioning of the state,” Chaves said during the CSIS interview.
“Our tax system, our customs system, electricity, even meteorological services … our Ministry of Transport, our social security, our health system attacked — so it was ugly,” Chaves added.
Alexander Martin and Jonathan Greig contributed to this story.
No previous article
No new articles
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.