Policy paper

Chair's summary from the G7 Interior and Security Senior Officials' Extraordinary Forum on Ransomware on 15 and 16 December 2021

Published 24 December 2021

This was published under the 2019 to 2022 Johnson Conservative government

On 15-16 December, in line with the commitment made at the Interior and Security Ministers’ meeting in September 2021, G7 Senior Officials gathered virtually for an Extraordinary Senior Officials’ forum on ransomware, along with representatives from the Council of Europe; European Commission; European Union Agency for Cybersecurity, Europol; Financial Action Task Force; G7 Cyber Expert Group; Global Forum on Cyber Expertise; Interpol and the United Nations Office on Drugs and Crime. This forum builds on the commitment of our leaders to work together to urgently address the escalating shared threat from criminal ransomware networks.

Ransomware attacks are increasingly common globally and represent one of the most significant, and growing, international cyber threats. Earlier in the year, G7 leaders called on states to identify and disrupt ransomware criminal networks operating from within their borders at pace and hold those networks accountable for their actions.

This forum built on existing initiatives, such as the Counter Ransomware Initiative, and brought together expertise from across the G7 to:

a) find practical policy solutions;

b) develop proposals on technical assistance;

c) advance policy cooperation; and

d) raise public awareness.

Discussion included the following:

Threat

Ransomware represents one of the most significant and growing international cyber threats with serious economic, security and public safety consequences. Ransomware is a complex crime type, with the key threat actors often operating from safe havens, payments made in largely unregulated cryptocurrency, and the acute vulnerability caused by low cyber security standards. Many of the organised crime groups launching ransomware attacks against western targets are based in Russia and nearby states. Most ransomware groups operate a Ransomware as a Service (RaaS) model. This is where the developer of the ransomware ‘rents out’ their ransomware infrastructure to other cyber criminals, known as affiliates, to use in their own attacks. This, in conjunction with the supporting cybercrime marketplace, has enabled less technically skilled cyber criminals to deploy ransomware. RaaS also makes attribution difficult because an attack could have been carried out by the core ransomware group, or by an affiliate who could be based anywhere. Combined, these factors have created an effective and resilient ‘business model’, resulting in an increased number of attackers and greater threat.

Policy Approaches

As a transnational problem, any solution will need to be calibrated in close step between G7 members and international partners. We collectively recognise the need to advance solutions at pace and to take a multi-pronged and multi-sector approach. In addition, we have looked at how we define ‘reporting’ and ‘cyber incidents’ and recognise the need for join-up on sharing information received. Indeed current low reporting rates affect our ability to assist victims, understand the scale of the problem or reduce the likelihood of ransoms being paid. Increasing reporting rates will help inform our knowledge of the threat and assess ways to further disrupt the ransomware criminal business model. This could be by providing better victim support, clear and consistent reporting routes, linking reporting to insurance pay-outs or mandating timely reporting of attacks. Ransomware ransoms are a key part of this business model, so limiting their payment is key to disrupting this. However, we must ensure that we are careful not to inadvertently re-victimise the victim. We have looked at how we can further incentivise reporting and the need for a range of policy interventions to achieve the two outcomes of increasing reporting and reducing payments and will continue to develop our responses.

Cryptocurrency

The primary motive for ransomware is the prospect of financial gain. Ransomware attackers, if successful, often receive payment in cryptocurrency, which they then seek to launder and “cash out” of the cryptoasset ecosystem. Attackers may also use cryptocurrency to procure goods and services to support their activities. The more the G7 can do, working with the private sector, to minimise the likely financial reward of a ransomware attack, the lesser the incentive for criminals to carry out a ransomware attack.

Resilience and Communications

Most cyber incidents, both ransomware and more broadly, can be prevented by following simple and actionable steps. Organisations that do so will improve their cyber resilience. It is a priority for us, as we address the threat from ransomware, to work to ensure sectors and organisations are more secure and resilient to cyber threats. Raising resilience will be a long-term endeavour, requiring public and private sector investment. Going forward our collective challenge will involve ensuring that best practises are implemented more often and by more organisations. Communicating effectively will be a key tool in achieving this. To make a real step-change in raising our resilience we will need to deepen international collaboration on these issues.

Next Steps

The G7 and participating international organisations recognise the need to continue to prioritise collective efforts to reduce the risk of ransomware. Together we identified priority areas for further work which complement the ongoing work of existing initiatives, such as the Counter Ransomware Initiative, to collectively address the threat and deepen our collaboration.