The average ransomware demand is now $170K. Here's how we can fight back

• A multistakeholder approach is best for tackling the criminal entreprise model underlying ransomware efforts.

• A World Economic Forum partnership recommends tackling the ransomware threat earlier in the event chain.

• Information-sharing between affected organizations is also crucial.

With news breaking nearly every day about ransomware attacks targeting hospitals, critical infrastructure, school systems, and other essential services, average citizens in communities around the globe are feeling the repercussions. The complexity of ransomware attacks and the criminal enterprise model that supports them present the need for a structured, multistakeholder approach to tackle the issues involved.

A ransomware attack involves a threat actor deploying malware that seizes data on a victim’s IT network, making it inaccessible to them until a ransom is paid, often in the form of cryptocurrency. Rather than just locking a victim’s files and requesting a ransom in exchange for the key, the attackers also steal sensitive data before deploying the actual ransomware. This compels the victim to engage in negotiations and raises the victim’s (reputational) costs of not paying the ransom, as the attackers will not only leave the victim’s data encrypted, but also leak sensitive information.

Cyber extortion started from humble origins in 1989, with the first known incident targetting the healthcare industry: It involved 20,000 infected floppy disks being distributed to researchers across the world. Once installed, the malware laid dormant and only activated after the computer was booted 90 times. Once this occurred, the first known ransom resulting from malware infection was demanded: $189 per victim.

The world has changed greatly since 1989, a time when reliance on technology was not as widespread or as vital to government and business institutions. As we have become more dependent on technology in all aspects of our lives, ransomware has become a much greater threat. With a total amount paid by ransomware victims estimated at $350m in 2020 alone, an estimated average per-incident ransom of $170,000 being demanded, and a total per-incident cost (including recovery) of $761,000, ransomware is proving to be both immensely profitable for criminals and a threat to modern organizations.

As a result of this growing concern, the World Economic Forum Partnership against Cybercrime organized a community discussion featuring leaders of industry and technology with a specific focus on Combatting Ransomware. As part of this, members of the partnership formulated a dedicated conceptual framework for discussion, with a view to identifying potential areas for disruption of ransomware efforts. The focus for this effort is on a distinct “shift left” approach that seeks to disrupt ransomware threat actors earlier in the chain of events.

The motivation behind this effort came from an analysis of efforts to tackle ransomware. The current trend in tackling ransomware is reactive in nature, and primarily focused on identifying and disrupting malware during the infection stage, and on recovery in the event of a successful infection. Furthermore, organizations generally approach defensive efforts as an isolated unit with limited collective or connected efforts, such as sharing indicators of compromise (IOC). As part of the Combatting Ransomware initiative, the discussion was focused on shared, collaborative efforts that the security community can proactively pursue to disrupt ransomware efforts before they have a chance to flourish.

The value of shared, collective and active responses to ransomware is already visible today. Efforts to date illustrate that a collaborative multistakeholder approach – sharing actionable information and leveraging the combined capabilities of the private sector and the government – yields the best opportunity to disrupt cybercrime quickly and at scale. One such effort involved law enforcement and judicial bodies across the world in a joint taskforce to combat the EMOTET malware, one of the scourges of modern times. In operation since 2014, EMOTET opened the floodgates for a variety of threat groups to install ransomware with high levels of effectiveness. As a result of the growing impact of EMOTET in terms of financial damages, a large-scale, worldwide operation was undertaken to cripple EMOTET by targeting the infrastructure under which it operated. Over the course of one week, hundreds of servers across multiple jurisdictions were seized and neutralized.

The Partnership Against Cybercrime effort towards Combatting Ransomware came together with the express goal in mind of identifying areas for collaboration and collective approaches in tackling this threat. As part of this, members of the partnership designed a model ransomware kill-chain. This kill-chain involved the following stages, distilled down from the various elements of typical ransomware attacks:

During discussions, industry leaders across technology and security identified the first four pre-exploit phases of the kill chain as prime areas for disrupting ransomware efforts. This approach involves targetting critical elements of ransomware success, such as the developers behind the software, or the infrastructure required for orchestration.

To four separate groups dedicated to the identified four phases, representatives were assigned with even distribution between cybersecurity providers, infrastructure providers, insurance organizations and law enforcement, allowing each group to benefit from the broad experience set. The aim of each discussion was first to identify relevant actions for each phase from the perspective of attacker, defender and government or regulatory bodies. Once mapped out, this approach allowed for identification of considerations and risks for each action to better pinpoint potential weaknesses, and therefore potential areas for disruption.

The findings from each working group were distilled into four central themes in terms of recommendations:

• Further develop the framework to support the partnership goals

• Develop active disruption approaches

• Support law enforcement efforts

• Advocate for policy adjustments

Several key activities/efforts were identified that, if implemented appropriately, could greatly hinder ransomware success:

• Information-sharing/collaboration. Faster detection and cross-sector sharing of IOCs for new malware and associate these with ransomware. Prioritize analysis of association for sharing, leading to adoption of intelligence-led security controls to pre-empt attacks.

• Public-private pooling of resources for vulnerability testing, threat analysis and research.

• Build a picture of the financial capabilities of malicious actors and guide law enforcement disruption of those capabilities through breaking the chain of illicit use of cryptocurrencies to fiat currency, real-world goods and support services.

• Incentivize cyber hygiene and issue World Economic Forum message on raising cybersecurity standards.

Information-sharing, pooling of resources and financial analysis are the foundations of developing an intelligence-driven assessment of ransomware actors so that we can identify where they are organizationally weak. Using that information, and collaborating through the proposed framework, international public and private sector partnerships can work together to reduce the global impact of the ransomware threat.