Megan Stifel, chief strategy officer for the Institute for Security and Technology and executive director of the Ransomware Task Force, joined Lindsey O’Donnell-Welch on the Decipher podcast to discuss the Ransomware Task Force’s recent progress report on moves made to disrupt the ransomware ecosystem. This is an edited and condensed transcript of their conversation.
Lindsey O’Donnell-Welch: What kind of progress has been made in implementing the Ransomware Task Force’s recommendations?
Megan Stifel: There has been a good amount of progress. We were pleased to report earlier this month that 92 percent of the recommendations have seen some progress, with actually 50 percent seeing significant action. Twenty recommendations saw preliminary action and there's no known action in four of those recommendations. The space where we saw the greatest amount of progress - it's actually been pretty even across the four - but as you may recall, we had four areas where we focused the recommendations - deterring ransomware attacks, disrupting attacks, better preparation and better response mechanisms - and so we've seen the least amount of progress in the response space. But there has really been good progress across all measures. That being said, as we know because ransomware attacks continue, there's a lot more room for improvement.
Lindsey O’Donnell-Welch: When you say you saw the least amount in that response space, is there a reason behind that?
Megan Stifel: Well I think it's a couple of things. On the response space we've seen significant progress in 18 percent of the recommendations in that area and where that significant progress has occurred, it’s been actually significant itself, including requirements in legislation; for example, the critical infrastructure reporting requirements that we know as CIRCIA. There also have been significant amounts of money appropriated by Congress to help organizations both prepare and respond to ransomware incidents - It's more broad than that, it's cyber incidents - but ransomware is included in those. But where there has not been known action is in thinking about the emergency capabilities and emergency authorities that we recommended in the initial report, and it's kind of a little bit hard to guess as to why that is. I think at least two factors that we would identify include the broader concern around information about ransomware incidents - so where we don't have good information about ransomware incidents, it's harder to scope and measure to emergency authorities. So as CIRCIA takes effect, it may be the case that there's better information upon which to make a public policy argument that there needs to be additional authorities granted to the government and to support victims in the case of a ransomware incident.
The other piece is that there have been some terrific bipartisan quick wins on the legislative front, two of which I already mentioned, including the funds appropriated and the reporting legislation. But we've also seen issues such as the joint ransomware task force coming out in the same legislative package, and so I think the focus has been on better preparing the government and better equipping the government to respond - based off of the information that they have - and enabling the government to gather better information, upon which they could eventually consider the emergency authorities, among the other recommendations that we had.
Lindsey O’Donnell-Welch: Are you seeing more awareness across the broader public and private sector when it comes to the ransomware threat?
Megan Stifel: I think there definitely has been improved awareness; there were several incidents that happened just after we released our report in April of 2021 that we think helped bring ransomware to both the front doorstep of of lawmakers and the executive branch - which I think was recognizing it but was struggling to convene itself - and so both the Colonial Pipeline incident, the JBS event, and a number of other high profile incidents globally have really I think contributed to the awareness that has then issued or then prompted legislative and executive action to better address the threat.
Lindsey O’Donnell-Welch: Can you talk a little bit about how you've seen cyber incident reporting change over the past year?
Megan Stifel: I think there have been some good wins, but there remain challenges. And so in thinking about the information environment, what we've said over the years is that it's a suboptimal information environment. I think during the [Institute for Security and Technology’s Ransomware Task Force] event on May 5th, the FBI panelist Dave Ring mentioned that the FBI thinks that only 20 percent of ransomware incidents are reported to it. So that is not ideal, but on the other hand we know that there are good pictures of ransomware around the ecosystem on the private sector side, whether it's Emsisoft’s report or Sophos' report. But it's really bringing all of these different pieces of the elephant into the same spot, where we think the focus needs to be, and that will enable not only better policy options for the government to consider together with the private sector, but also and importantly, the better, improved ability to undertake operational collaboration, to disrupt the ransomware threat actors. So the numbers are - some think that they're up, some think that they're down - I think there's the general consensus that the ransomware threat is not going away. While we have seen, if you look at, for example, Sophos’ report, the large percentage of organizations that have been the victim of ransomware have fewer than a thousand employees. But some of them actually have higher net income, so to speak, so it's not just small businesses that are being hit but it's smaller, higher profit organizations that are still being hit. But also importantly, as we expected, as the U.S. and its partners began to take greater action against ransomware, the threat is expanding.
I wouldn't call it totally shifting because we are still seeing significant incidents in the United States affecting hospitals, education, but also it's affecting the global south; Costa Rica has been a big unfortunate example of that. But we saw incidents in the asean region as well. Japan has had some high level incidents, obviously Australia. So improving the information environment, looking at all of the pieces that fuel the ecosystem is a high priority for the counter ransomware initiative as well. I think we will continue to see progress. But it's a lot of these incremental movements that will begin to have real impact a few years from now.
"In many ways it's a heartbreaking problem, that small and medium-sized enterprises who are the lifeblood of the U.S. economy are often the victims of these types of attacks."
Lindsey O’Donnell-Welch: One win that I saw when I was looking over the most recent task progress report was that it seems like the U.S. government is really kind of putting teeth into cryptocurrency regulations, and they've been using sanctions of several exchanges and mixers that we've seen being used for ransomware attacks.
Megan Stifel: Yes, I think that's one of the wins that I didn't cover in response to your last question. I would say it's a combination of the government - particularly Treasury and Justice - leveraging capabilities that they have, under both executive action and statutory authority, to add additional entities and persons to the designated entities and specially designated nationals lists that has enabled some of these additional wins. And I think that also goes to the part of our earlier conversation around information being shared publicly and privately and certainly I think the capabilities of blockchain analytics firms has significantly helped Treasury build a case to issue the sanctions and also to recoup the funds, but also to undertake the law enforcement action. And it's not just limited to U.S. law enforcement. I think the law enforcement actions that have been undertaken have been in cooperation and close collaboration with a number of governments, Europol and Interpol. But yes, I think on the cryptocurrency front, one of the recommendations was that the requirements under U.S. law - which is that if you're a money services business you need to collect KYC, or know your customer, information and follow anti-money laundering provisions - I think we're really beginning to see that requirement take effect.
Lindsey O’Donnell-Welch: I know that safe haven countries have been a hot topic and a challenge in the ransomware landscape. What kind of work has been done in this area?
Megan Stifel: Yes I think safe havens will remain a problem and that's one of the reasons why we believe that the focus needs to be on public-private collaboration, specifically operational collaboration and better sharing of information, because the more information we have and the better our ability is to get it into the hands of partners in like-minded nations and elsewhere… it [will] become even more clear that certain countries are harboring these types of actors and that should inform our partners and like minded allies alike in their broader engagements with the safe harboring countries. So the conversation shouldn't just be around ransomware but it really should be around the other tools that these governments have at their disposal to send a signal that this type of malicious cyber activity is not accepted. I think we see some reflections of that.
Lindsey O’Donnell-Welch: What kind of ransomware risk have you seen small and medium-sized businesses (SMBs) face?
Megan Stifel: In many ways it's a heartbreaking problem, that small and medium-sized enterprises who are the lifeblood of the U.S. economy are often the victims of these types of attacks. There have been a number of efforts that have been undertaken to help organizations of that size better prepare to manage ransomware and actually just yesterday I think the government published a joint publication or refreshed a joint publication that they had previously shared around combating ransomware, in giving organizations a list of activities and actions that they could take to better prepare themselves. One of the items that's included in there is a set of recommendations that the task force published in August of last year, which is the blueprint for ransomware defense that includes a list of 40 security controls. If you were to walk down the street I think and say to a small business, “you need to do these 40 things to better secure yourselves,” they're probably going to throw up their hands. And that's where I think that that old saying - “you don't need to outrun the bear, you just need to not be the last person outrunning the bear” - comes into play. Even if you undertake four or five things, like using multi factor authentication, ensuring that you have backups of data, making sure that where possible you've updated your systems with the latest patching, using complex passwords - even those few things can really have an impact and and help you outrun the bear faster than the person down the street. So we need to continue to get that message across to small and medium-sized enterprises, that you don't have to be perfect, that small measures can really have a significant impact.
Lindsey O’Donnell-Welch: Yeah, absolutely and that's a great point. Looking ahead, what's on the agenda list for the Ransomware Task Force? What happens in between these progress reports that come out every year?
Megan Stifel: The first is really the awareness raising piece and we’ll continue to support the blueprint and look to equip more organizations to have better hygiene, which will help them better withstand and recover from a ransomware incident. So hygiene is certainly a priority. Where we think the emphasis is also really needed is in thinking about this question or these issues around operational collaboration and the information environment. So we published a report on Monday of this week, we called it a mini pilot, which was an effort to examine the map of the cryptocurrency ecosystem related to ransomware payments. We published this map in November of last year and then we were fortunate to have some data shared with us from a couple of task force supporters and we took that data and overlaid it over the map to see, among other things, if the data reflected what we believed the ecosystem looked like - it does. So that's I think a positive sign. What we did also discover though is that we needed to better visualize the resourcing part of ransomware incidents. So when threat actors are developing their attacks, their ransomware as a service capabilities, the resources that they use to develop those measures, those TTPs, is often paid for with cryptocurrencies that were procured through prior ransomware incidents. So if one looks at this mini pilot map, there's definitely a hotspot if you will where there are a number of entity types, meaning incident response firms and cloud service providers and the like, who are actually more proximate to ransomware incidents than we might think. And so looking at the barriers there are to those entities [that prevent] better sharing information, better undertaking measures that could be disruptive to these incidents, that is really a focus for us over the next part of this year.
And we think that it's also a good opportunity to help inform about what will come probably next year, which is the reauthorization of the cyber security information sharing act (CISA) of 2015. It will have to be reauthorized in 2025 and so we hope that out of our examination of this payment ecosystem, we can help identify opportunities to further incentivize existing sharing. Because there is robust sharing that's authorized under CISA ‘15, it's just that many organizations aren't willing to do so yet or don't feel comfortable doing so yet. But [we also hope to] see if there are further clarifications that can be made in the law to better equip these organizations to feel comfortable using the authorities that are granted.
Lindsey O’Donnell-Welch: Are there any other takeaways from this year's progress report or just anything about ransomware trends overall that you wanted to highlight?
Megan Stifel: I think what we're seeing is that the ecosystem is shifting, not surprisingly. I think there's one thing we know about malicious cyber actors, which is that they do often use common TTPs, they do shift some of those TTPs and that's also what we've seen in the case with ransomware. Among the things that we've seen in this shift is that there have been fewer incidents of encryption; instead, the threat is to dump confidential information in the open marketplace, and so that is concerning obviously. What also concerns me is… will we begin to see integrity attacks on that data that's dumped, meaning that it's exfiltrated from the victim, it's manipulated in a way that looks even more problematic for the victim and then distributed publicly. So we need to really be thinking about what tools we have to be able to help victims in those types of instances, do authorities have enough to disrupt that.