CRI publishes guidelines for avoiding ransomware payments

Members of the Counter Ransomware Initiative (CRI) have released new guidance to encourage organizations to consider other options before making ransomware payments to cybercriminals.

The new guidelines aim to minimize the overall impact of a ransomware incident and help reduce the number of ransoms paid by victims, as well as the size of ransoms when victims actually choose to pay.

The guidance strongly discourages companies from making payments, but acknowledges that there may be situations where a victim may consider making a payment. However, the British government, for example, does not support or tolerate anyone paying ransoms.

A Chainalysis study earlier this year found that ransomware actors collected over $1 billion in payments in 2023. Ransomware payments have generally been on the rise since 2019, when Chainalysis began tracking the market.

The CRI noted that payment does not guarantee access to data and devices, and even purchasing the decryption key may not result in the incident being stopped.

Jonathon Ellison, NCSC director of national resilience, said: “Ransomware remains an urgent threat and organizations should act now to strengthen resilience.”

The United Kingdom and 38 countries, including Australia, Canada, Japan, the United States and New Zealand, have joined forces with international cyber insurance organizations to support the CRI guidelines.

“The endorsement of this best practice guidance by both nations and international cyber insurance organizations provides a strong impetus for companies to enhance their defenses and enhance their cyber readiness,” Ellison said.

Guidance recommendations from the Counter-Ransomware Initiative

The CRI said organizations are encouraged to prepare as part of their business continuity plan and develop and implement their policies, procedures, frameworks and communications plans in advance of a ransomware incident.

The guide recommends that organizations:

• Consider the legal and regulatory environment surrounding ransomware payments
• Report the incident to the authorities as soon as possible. Timely reporting can support law enforcement investigations and enable authorities to provide necessary support to victim organizations
• Evaluate all options and ensure due diligence is part of the response and recovery plan
• If possible, consult experts such as insurers, national technical authorities, law enforcement agencies or cyber incident response companies who are familiar with ransomware incidents
• Check out the alternatives to paying a ransom. Payment decisions should be based on a full understanding of the impact of the incident and whether the payment is likely to change the outcome
• Gather relevant information to assess impacts and legal obligations. This includes considering the technical situation, such as the availability of backups, and setting up workarounds to deal with business interruptions
• Assess the impact of the incident to be better prepared for immediate discussions about reporting. Organizations should also assess the risk to life, personal information or national security if data were made public. Any claims about the type and amount of data stolen should be verified.
• Record decision-making to create an auditable trail
• Involve necessary stakeholders across the organization in decisions, including technical staff and senior decision makers
• Investigate the root cause of the incident and take the necessary preparations to avoid a repeat attack

The Guidelines are non-binding in nature and do not override certain laws and regulations that may apply in the jurisdictions of CRI members.

In 2023, members of the CRI pledged against ransomware payments and called for central government funds not to be used to pay ransoms to cybercriminals.

The new guidance comes at the start of Cyber ​​Security Awareness Month, which focuses on the importance for organizations of building their cyber resilience.

The guidelines were agreed upon during the Fourth International Counter Ransomware Initiative (CRI) Annual Summit on October 1, 2024 at the Foreign Service Institute in Arlington, Virginia.