Counter Ransomware Initiative stresses importance of supply-chain security

Companies should improve the resilience of their software supply chains against ransomware, according to guidance the International Counter Ransomware Initiative (CRI) published on Friday after its fifth annual summit in Singapore.

The new guidance, developed by the United Kingdom and Singapore as the CRI’s policy leads, aims to raise awareness of the ransomware threat across supply chains, as well as promote good cyber hygiene that will see supply chain vulnerabilities factored into organizations’ risk assessments.

The CRI — now composed of 61 countries and six other international organisations — was launched by the United States in 2021 under the Biden administration, in an attempt to organize a global response to the transnational threat posed by cybercrime. Last year, the summit in the U.S. culminated in a call for insurance companies to stop funding ransomware payments.

This year’s guidance follows growing attention on the supply-chain dimensions to ransomware and other cyberattacks. A vulnerability in the MOVEit file transfer tool allowed attackers to compromise hundreds of companies in 2023. Blue Yonder, which sells digital supply chain tools to some of the world's largest companies, including BIC, Starbucks and Morrisons, suffered an attack last year that disrupted customers.

Britain’s security minister Dan Jarvis said: “Ransomware and cyber-attacks pose an immediate and urgent threat to our nation’s security and economy. We are taking decisive action to counter this threat, but global coordination is essential.

“Cybersecurity must be a top priority for all businesses. It’s vital that the counter ransomware guidance is followed and strong measures are taken to defend against these destructive attacks,” said Jarvis.

His comments follow British opposition lawmakers warning this week it was “deeply concerning” the government had still not introduced new cybersecurity laws to Parliament, saying that “gaps in our legislation” are “fuelling even greater threats against our nation.” 

Read More: UK facing 'most contested and complex' threat in decades, warns GCHQ director

Despite the efforts to establish a collective response to the issue, there are few signs that the coalition is directly suppressing the perpetrators of these attacks, who are often based in the jurisdiction of non-members, especially the Russian Federation.

There have been some positive signals, however, that efforts to starve ransomware cybercriminals of their profits are finally having an effect. A report by Chainalysis earlier this year found that the extortion payments funding the criminal ecosystem dropped for the first time in 2024.

The surprising and significant dip — down approximately 35% from $1.25 billion to $812.55 million — took place almost entirely in the second half of the year, with the first six months initially indicating 2024 would actually be “the worst year on record,” as Chainalysis said at the time.

But instead of reaching new heights, for the first time in two years ransomware payments dwindled — both in terms of the number of payments and the total sum being paid. At the time, Chainalysis attributed the fall to disarray in the ransomware ecosystem driven substantially by a law enforcement disruption operation targeting LockBit, the market-leading ransomware group, as well as the exit scam by the AlphV/BlackCat group.

Details on payments are unavailable for the whole of 2025, but significant incidents have continued, impacting companies such as Ingram Micro, United Natural Foods, and Asahi having an impact across the supply chains of those businesses.

The CRI announcement comes as the U.K. prepares to sign the UN Convention against Cybercrime this weekend in Vietnam. The new convention “will align the criminalising of several cyber-enabled offences globally including child sexual exploitation, fraud and, for the first time at an international level, the non-consensual sharing of intimate images,” said the British government.