An alliance of nearly 50 countries has joined together to sign a policy statement pledging that their governments will not pay ransom demands to cybercriminals, a senior White House official said today.
The 48 member countries of the International Counter Ransomware Initiative (CRI) signed the pledge at the White House’s third annual CRI meeting on Tuesday and Wednesday of this week.
Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies, said today that another country has joined the CRI since the meeting – bringing the total number of countries to 49. The European Union and INTERPOL also signed the pledge.
“CRI members from India to Egypt to Costa Rica to Nigeria, Singapore, and the United States, our governments made that commitment because we recognize that ransomware payments are the money that’s fueling the ongoing attacks,” Neuberger said today at a discussion of the CRI meeting hosted by the Center for Strategic and International Studies (CSIS).
The White House official said that this joint policy statement comes at a critical time when ransomware payments are increasing.
During the first half of 2023, Neuberger said ransomware attacks worldwide increased by 45 percent over last year. Additionally, she said the victims are paying more, with the amount of overall ransom payments up by 120 percent.
However, the pledge to not pay ransoms to cybercriminals does come with exceptions. The Commissioner of Cybersecurity and Chief Executive of Cyber at the Security Agency of Singapore, David Koh, said at today’s event that the CRI’s commitment is “not a prohibition.”
“The statement that we have come out [with] is that governments should not pay ransom,” Koh said. “And the reason is because in environments like this, never say never. You don’t know exactly what the circumstances might be, even when this happens.”
Nevertheless, the member countries stressed that they do not condone paying ransoms, because it doesn’t guarantee that the attack ends there.
“There could be a double extortion, it could even get to the triple level,” the head of the Cybercrime Unit of Nigeria’s Federal Ministry of Justice, Jamila Akaaga Ade, said. “So, making that payment doesn’t guarantee that even the data, whatever has been encrypted, will be decrypted.”
“So, with that understanding, it’s a collective effort at the CRI level to say that at the national level that is not encouraged,” she added. “You only empower the criminals by making such ransomware payments.”
According to a White House fact sheet from the CRI meeting, the member countries also plan to create a shared blacklist of wallets through the U.S. Department of the Treasury’s pledge to share data on illicit wallets used by ransomware actors
Additionally, the members said they “will assist any CRI member with incident response if their government or lifeline sectors are hit with a ransomware attack.”
While the pledge to not pay ransoms does not apply to the private sector, CRI members also reaffirmed their commitment to work with the private sector to defend against ransomware attacks.
“This is a problem that takes government and private sector working together,” Neuberger said.
“Ransomware is the most disruptive cyber threat at this moment in time,” she added. “This truly is a global threat. We want to contribute the capacity we have, we want to learn from allies and partners, and lift up so we tackle this together.”
