International Counter Ransomware Task Force kicks off

An international counter-ransomware task force first announced at a White House event in November officially commenced operations on Monday, according to the Australian government which is the inaugural chair of the group.

The International Counter Ransomware Task Force’s (ICRTF) operations are intended to drive collaboration among a coalition of 36 member states and the European Union to counter the spread and impact of ransomware which, despite typically being a criminal rather than state-based activity, has become a significant national security threat in recent years.

The ICRTF was announced by members of the Counter Ransomware Initiative (CRI) after the conclusion of a two-day conference hosted by the Biden administration.

It aims to help member states exchange information and intelligence about the threats they’re facing, alongside sharing policy and legal authority frameworks and encouraging members’ law enforcement and cyber authorities to collaborate.

ICRTF members have committed to “joint action in the fields of resilience, disruption, and countering illicit finance,” the White House announcement said.

“Ransomware represents a significant global threat, and Australia will continue to play a leading role working with international partners, industry and the community to develop effective responses to combat cyber criminals and protect our people and institutions,” said Australia’s home affairs and cyber minister Clare O’Neil.

“Recent cyber incidents in Australia and around the globe are a stark reminder of the insidious nature of ransomware, and the ability of cyber criminals to cause widespread disruption and harm to broad sections of the community,” she added, referencing an attack on health insurance business Medibank.

Following this incident, the Australian government announced a new permanent joint standing operation that would be “offensively attacking” groups behind ransomware incidents. It has not been disclosed what role, if any, offensive operations might play in the work of the ICRTF.

The CRI conference where the ICRTF was announced was notable for the absence of several states which have been accused of failing to tackle criminal cyber activities conducted from within their territories, particularly Russia, China, Iran and North Korea.

It featured five working groups which intended to take different approaches to the ransomware threat: “resilience (co-led by Lithuania and India), disruption (led by Australia), counter illicit finance (led by the UK and Singapore), public-private partnership (led by Spain), and diplomacy (led by Germany).”

It followed a senior FBI official saying his agency had seen “no indication” Moscow has cracked down on criminal networks within its territory, and the Treasury Department imposing sanctions on a cryptocurrency exchange owned by Russian nationals that allegedly helped launder more than $160 million for various ransomware and criminal groups.

Ransomware attacks have rapidly become a key concern for many states following a series of devastating incidents affecting businesses that operate critical infrastructure such as the Colonial Pipeline in the United States, or contribute to essential services such as the South Staffordshire Water utilities company in Britain.

At the time of the CRI conference, ransomware attacks were making up the majority of the British government's "Cobra" crisis management meetings. Since then high-profile targets in the United Kingdom, including The Guardian newspaper and Royal Mail, have also confirmed being impacted by incidents.