April 2024
securityandtechnology.org
DOUBLING DOWN
APRIL 2024 PROGRESS REPORT
THE RANSOMWARE TASK FORCE: DOUBLING DOWN
THE RANSOMWARE TASK FORCE: DOUBLING DOWN
April 2024
The Institute for Security and Technology and the authors of this report invite free use of the information
within for educational purposes, requiring only that the reproduced material clearly cite the full source.
Copyright 2024, The Institute for Security and Technology
April 2024
securityandtechnology.org
Contents
Timeline: 2023-2024 Milestones ������������������������������������������������������������������������������������������������������������������������� 4
Executive Summary ��������������������������������������������������������������������������������������������������������������������������������������������������� 6
Introduction: The Evolving Threat Landscape ���������������������������������������������������������������������������������������������������� 9
Actions Requiring Sustained Effort ���������������������������������������������������������������������������������������������������������������������� 12
Harmonizing Incident Reporting Mechanisms �������������������������������������������������������������������������������������������� 12
Expanding International Collaboration ��������������������������������������������������������������������������������������������������������� 14
Reining in Ransom Payments �������������������������������������������������������������������������������������������������������������������������� 16
Actions Needing Intensified Effort ������������������������������������������������������������������������������������������������������������������������ 19
Disrupting Ransomware Operations At Scale ��������������������������������������������������������������������������������������������� 19
Fostering Public-Private Partnerships ����������������������������������������������������������������������������������������������������������� 21
Bolstering Resilience and Building Awareness ����������������������������������������������������������������������������������������� 23
Committing Financial Resources to Preparation & Response �������������������������������������������������������������� 28
Conclusion ���������������������������������������������������������������������������������������������������������������������������������������������������������������� 30
Appendix: Status of RTF Recommendations by Objective �������������������������������������������������������������������������� 33
THE RANSOMWARE TASK FORCE: DOUBLING DOWN
August 29, 2023 An
international cyber
takedown effort disrupts
Qakbot malware
infrastructure.
2023-2024 Milestones
September 19, 2023 DHS
publishes harmonization
of ransomware reporting
recommendations.
October 2023 CISA
expands the Ransomware
Vulnerability Warning Pilot
program (RVWP).
March 13, 2023 CISA
launches the Ransomware
Vulnerability Pilot program
(RVWP).
March 23, 2023 CISA
launches the Pre-
Ransomware Notification
Initiative.
September 2023 CISA
releases ransomware
tabletop exercise materials.
October 2023 International
police coordination
disrupts the Ragnar Locker
ransomware gang.
March 1, 2023 With the
launch of the National
Cybersecurity Strategy,
ransomware is underscored
as a national security threat.
July 13, 2023 The White
House publishes the
National Cybersecurity
Strategy Implementation
Plan.
October 26, 2023
Additional countries sign
on to an update to the April
2023 secure-by-design
guidance, bringing the total
to 17 countries.
July 26, 2023 The U.S.
Securities and Exchange
Commission (SEC)
announces new ransom
disclosure rules.
April 13, 2023 The United
States, Australia, Canada,
the UK, Germany, and the
Netherlands publish secure-
by-design guidance.
Key:
Policy
Resource
Disruption/Sanction
Awareness
April 2024
securityandtechnology.org
Tracking Progress Against Ransomware
November 21, 2023
EUROPOL works with
seven other countries to
dismantle a ransomware
group operating in Ukraine,
leading to several arrests
and detentions.
February 20, 2024 The
United States and the UK,
along with international
law enforcement partners,
announce the takedown of
LockBit ransomware variant.
November 2023 The
U.S. Treasury Department
sanctions a Russian actor
accused of laundering
virtual currency on behalf
of an affiliate of the Ryuk
ransomware group.
January 2024 Australia,
the United Kingdom, and
the United States issue
the first trilateral sanctions
designating a Russian
cyber actor involved in a
2022 ransomware attack in
Australia.
February 20, 2024 The
U.S. Treasury Department
sanctions affiliates of the
LockBit ransomware group.
April 4, 2024
CISA publishes
Notice of Proposed
Rulemaking for
CIRCIA.
March 27, 2024 The U.S.
Department of State’s
Rewards for Justice Program
announces a reward for
ALPHV/Blackcat-linked cyber
actors.
November 3, 2023 CISA
launches “Shields Ready”
campaign for critical
infrastructure.
December 2023
The U.S. Justice
Department, with
European law
enforcement support,
disrupts ALPHV/
Blackcat ransomware
variant.
November 1, 2023
CRI members
endorse the first-
ever joint CRI policy
statement declaring
that member
governments should
not pay ransoms.
December 2023 New York
Department of Financial
Services announces new
ransom disclosure rules.
February 5, 2024 ODNI
releases annual threat
assessment, naming
ransomware as a
transnational threat to the
United States.
February 26, 2024 NIST
publishes Cybersecurity
Framework 2.0.
March 20, 2024 DHS and
DG CONNECT announce
initiative to compare cyber
incident reporting and
better align transatlantic
approaches.
January 19, 2024
OFAC Senior
Compliance Officer
reiterates commitment
to clarifying ransom
payment guidance.
January 2024 GAO releases
report urging agencies
to enhance oversight of
ransomware practices and
better assess federal support.
A non-exhaustive list of policy actions, newly-published resources, moves to disrupt or sanction ransomware actors,
and efforts to bring awareness to the threat.
THE RANSOMWARE TASK FORCE: DOUBLING DOWN
RTF
APRIL
2024
Executive Summary
In April 2021, the Ransomware Task Force (RTF) published Combating Ransomware: A Comprehensive
Framework for Action (“the Report”), which outlined 48 recommendations for industry, government,
and civil society to undertake in order to deter and disrupt the ransomware ecosystem, and to help
entities prepare for and respond to attacks at scale�1 In the three years since its publication, we have
continued to see governments and the private sector step up commitments to addressing this threat�
However, ransomware remains a major national security threat based on its cost to the economy and
impact on critical services availability� The rate and scale of attacks is not diminishing and may be
growing� For the first time ever, Chainalysis reported that ransomware payments had surpassed $1
billion in 2023�2
Since our May 2023 progress report, the U�S� government and its partners have intensified disruption
efforts, increased information sharing, and developed more comprehensive ransomware mitigation and
recovery strategies� However, of the 48 recommendations made in the Report, our assessment remains
unchanged: only 24 have seen significant progress since the Report’s release in 2021�
IST’s view is that the 48 original recommendations remain relevant and important to implement to
reduce the threat that ransomware poses to the United States and the global digital ecosystem� Given
this assessment, this progress report focuses on the 24 recommendations that have seen little to
no action since 2021, identifying how governments and industry can achieve substantial results by
doubling down on these key Report recommendations�
As noted in previous progress reports, these 24 recommendations are more difficult to implement; in
the United States, many would require legislative action�3 While governments deserve praise for the
mechanisms they have put in place, our assessment is that the United States is not using them to their
full extent� First, the United States and other governments have not yet allocated sufficient resources
to these existing mechanisms� Second, governments have not taken all necessary further actions to
combat ransomware� The Ransomware Task Force remains committed to engaging with the United
States and like-minded governments, industry partners, and civil society to raise awareness and
advocate for effective solutions to mitigate the dangers of ransomware�
This progress report identifies areas in need of sustained action, as well as areas in need of
new or heightened progress, ultimately aiming to double down on the Ransomware Task Force
recommendations�
1
“Combating Ransomware: A Comprehensive Framework for Action,” Institute for Security and Technology, April 30, 2021, https://
securityandtechnology.org/ransomwaretaskforce/report/.
2
“Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline,” Chainalysis, February 29, 2024, https://www.
chainalysis.com/blog/ransomware-2024/.
3
“The Ransomware Task Force: One Year On,” Institute for Security and Technology, May 2022, https://securityandtechnology.org/wp-content/
uploads/2022/05/rtf-progress-report-may22-1.pdf; “The Ransomware Task Force: Gaining Ground,” Institute for Security and Technology, May
2023, https://securityandtechnology.org/wp-content/uploads/2023/05/Ransomware-Task-Force-Gaining-Ground-May-2023-Progress-Report.
pdf.
April 2024
securityandtechnology.org
» A number of areas have seen sustained action by governments, but they must capitalize on the
opportunities they already have in place in order to make substantive progress, including through
leveraging existing legislation and allocating additional resources to combat the ransomware threat�
»
Harmonizing Incident Reporting Mechanisms: Much headway has been made to improve
incident reporting structures� The United States and other partner countries still need to
capitalize on current opportunities for streamlining incident reporting in order to lessen the
burden on victims and increase the efficacy of response activity�
»
Expanding International Collaboration: Global collaboration continues to grow, despite
significant outlier governments that are unwilling to take action against ransomware actors
operating from their territory� Governments should continue to work together to share
information and step up deterrence and disruption efforts�
»
Reining in Ransom Payments: As debates around payment bans continue, governments
need to take concrete steps to make ransomware less profitable for bad actors and less
devastating for victims�
» Meanwhile, in other areas that have seen little to no action, governments, civil society, and industry
need to initiate new or redoubled efforts�
»
Disrupting Ransomware At Scale: Coordinated law enforcement and private sector
interventions are successfully disrupting ransomware operations, but need to be performed
at scale for effective, long-term impact�
»
Fostering Public-Private Partnerships: Governments cannot go it alone, and need to lean on
industry and other partners to foster a more resilient ecosystem�
»
Bolstering Resilience and Building Awareness: Organizations that follow best practice
cybersecurity guidance provided by NIST, CISA, and related organizations (both in the United
States and in other jurisdictions) have been able to dramatically increase their business
resilience� Governments need to increase whole-of-nation awareness of these best practices
and continue to make these resources easily accessible�
»
Committing Financial Resources for Preparation and Response: The United States and like-
minded countries need to further invest in supportive measures for critical infrastructure and
SMEs to prepare for attacks and respond effectively�
Before detailing our findings below, we want to note that as far as possible, the RTF tracks government
responses to ransomware around the world� To date, the U�S� government has typically been
among the most transparent and communicative about steps being considered or taken to combat
ransomware� This is partly cultural, but may also reflect that, according to reporting data, the United
States is still the most attacked nation,4 and its economy experiences the greatest losses�5 As such,
while we have attempted to incorporate geographically varied and relevant data and examples in our
reporting, our primary focus is on the actions and impacts of the U�S� government and in the United
States�
4
Silas Cutler, “2022 RTF Global Ransomware Incident Map: Attacks continue worldwide, groups splinter, education sector hit hard,” Institute
for Security and Technology, October 31, 2023, https://securityandtechnology.org/blog/2022-global-ransomware-incident-map/.
5
“The 471 Cyber Threat Report 2023,” Intel471, August 7, 2023, https://intel471.com/resources/whitepapers/the-471-cyber-threat-report-2023;
Zeba Siddiqui, “Alliance of 40 Countries to Vow Not to Pay Ransom to Cybercriminals, US Says,” Reuters, October 31, 2023, https://www.
reuters.com/technology/alliance-40-countries-vow-not-pay-ransom-cybercriminals-us-says-2023-10-31/; Shmuel Gihon, “Ransomware Trends
2023 Report,” Cyberint, April 8, 2024, https://cyberint.com/blog/research/ransomware-trends-and-statistics-2023-report/.
THE RANSOMWARE TASK FORCE: DOUBLING DOWN
Ransomware Task Force
Recommendations:
April 2024 Status
Significant Action
24
Preliminary Action
20
No Known Action
April 2024
securityandtechnology.org
Introduction: The Evolving
Threat Landscape
Ransomware incidents continue to impact organizations in every sector of the economy, especially
critical sectors like healthcare, transportation, and education, including smaller, under-resourced
entities� The FBI’s IC3 reported an 18% increase in ransomware incidents from 2022, with adjusted
losses of almost $60 million� The IC3 also noted that they received 1,193 reports of a ransomware
incident from critical infrastructure organizations, a 37% increase from the 870 reports it received in
2022�6
Even as the number of reported incidents is on the rise, the FBI IC3 report also noted that many
ransomware events continue to go unreported, greatly limiting cybersecurity and law enforcement
communities’ understanding of the frequency and disruption of ransomware incidents, not just in the
United States, but also worldwide� Organizations throughout the cyber response ecosystem—including
law enforcement, insurers, incident responders, cryptocurrency analysis firms, and others—track and
analyze as much data as they are able to access, with the goal of reporting new patterns of criminal
activity, including evolving tactics, techniques, and procedures (TTPs), and providing a sense of costs
of recovery and ransom payment trends� The RTF reviews as many of these sources as possible to
help inform our evaluation of the effectiveness of activities undertaken to address the ransomware
threat and the impact of these actions�
In 2023, ransomware groups increasingly used multiple variants against a single organization and
employed new data-destruction tactics to further pressure organizations into paying�7 Many actors are
also shifting away from encryption and into data exfiltration and exposure in order to gain more traction
against organizations who have sufficient backups�8 For example, a July 2023 Sophos report found
that 25% of attacks against the financial sector included both data encryption and data exfiltration�9
As some potential victims have bolstered organizational preparedness for a potential attack,
2023 saw threat actors becoming more creative and aggressive in their pursuits� Threat actors
intensified behavior, focusing their efforts against high-profile organizations and critical infrastructure�
Ransomware actors have also turned toward zero-day exploits to target widely-used IT services
6
“Federal Bureau of Investigation Internet Crime Report 2022,” FBI Internet Crime Complaint Center, March 10, 2023, 14, https://www.ic3.gov/Media/PDF/
AnnualReport/2022_IC3Report.pdf; “Federal Bureau of Investigation Internet Crime Report 2022,” 13.
7
“Federal Bureau of Investigation Internet Crime Report 2023,” 3.
8
“Ransomware on the Move: Evolving Exploitation Techniques and the Active Pursuit of Zero-Days,” Akamai Technologies, August 7, 2023, https://www.
akamai.com/resources/state-of-the-internet/ransomware-on-the-move.
9
Sophos, “The State of Ransomware in Financial Services 2023,” July 2023, https://assets.sophos.com/X24WTUEQ/at/skqcw8qv736cwr5hmtkxfwg/sophos-
state-of-ransomware-financial-services-2023-wp.pdf.
THE RANSOMWARE TASK FORCE: DOUBLING DOWN
10
like MOVEit and GoAnywhere file-transfer services, Citrix networking products, and PaperCut print
management software�10 Google reported that four threat actors used six different zero days in
ransomware attacks�11 CL0P, a group active since at least 2019, appears to be one of the major
pioneers leveraging zero days in its ransomware attacks�12 Akamai Technologies, a cloud company,
cited the use of zero- and n-day vulnerabilities as a key factor in the rise of ransomware attacks�13
Ransomware groups face economic trade-offs in deciding whether to exploit zero-day vulnerabilities,
which can be costly to obtain and lose much of their value the first time they are used� The fact that
any groups have used zero-days to both intimidate victims and wreak extreme harm signals that
ransomware will remain a threat even though resilience is increasing� This tactic is one to watch and
forthcoming reporting requirements should help assess whether it was a temporary shift or a new,
troubling, trend�
Some threat actors have also begun to focus on more sophisticated social engineering attacks, such
as targeting internal IT help desks� A consortium of actors often known as Scattered Spider has been
known to employ such techniques, leveraging native English speaking capabilities to trick users into
10
Jai Vijayan, “Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits,” DarkReading, December 8, 2023, https://www.darkreading.com/threat-
intelligence/ransomware-victims-surge-as-threat-actors-pivot-to-zero-day-exploits; Matt Kapko, “Ransomware Actors Hit Zero-Day Exploits Hard in 2023,”
Cybersecurity Dive, February 8, 2024, https://www.cybersecuritydive.com/news/ransomware-surge-zero-day-exploits/706983/.
11
James Sadowski and Maddie Stone, “A Review of Zero-Day In-The-Wild Exploits in 2023,” Google (blog), April 5, 2024, https://blog.google/technology/
safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023/.
12
Shunichi Imano and James Slaughter, “Ransomware Roundup - Cl0p | FortiGuard Labs,” Fortinet (blog), July 21, 2023, accessed April 16, 2024, https://www.
fortinet.com/blog/threat-research/ransomware-roundup-cl0p#:~:text=The%20Cl0p%20ransomware%20has%20been%20around%20since%20early%20
2019%2C%20and,active%20ransomware%20threat%20actors%20today.
13
“A Year in Review: A Look at 2023’s Cyber Trends and What’s to Come,” Akamai Technologies, November 14, 2023, https://www.akamai.com/lp/
soti/2023-year-review.
KEY RANSOMWARE STATISTICS: 2023
$1 billion
in cryptocurrency extorted from victims of
ransomware attacks, per Chainalysis
in ransomware attacks
reported to the
FBI’s Internet Crime
Complaint Center (IC3)
from 2022 to 2023
According to
Sophos, 25% of
attacks against the
financial sector
included both data
encryption and
data exfiltration
37% increase in ransomware
attacks on critical infrastructure
reported to the FBI’s IC3
18%
increase
2022
870
1,193
2023
In 2023, according to Google, four
ransomware actors exploited
6 zero-day vulnerabilities