CRI Releases Guidance on Avoiding Ransomware Payments

Members of the Counter Ransomware Initiative (CRI) have published new guidance to encourage organizations to consider other options before making ransomware payments to cybercriminals.

The new guidance aims to minimize the overall impact of a ransomware incident and help reduce the number of ransoms paid by victims as well as the size of the ransoms when victims do choose to pay.

The guidance strongly discourages firms from making payments but acknowledges that there may be occasions when a victim considers paying. However, the UK government for instance does not endorse or condone anyone paying ransoms. 

A Chainalysis study from earlier this year reported that ransomware actors collected over $1bn in payments in 2023. Ransomware payments have generally been on the rise since 2019, when Chainalysis began recording the market. 

The CRI noted that payment does not guarantee access to data and devices, and even acquiring the decryption key may not bring about the end of the incident.

NCSC Director for National Resilience Jonathon Ellison said, “Ransomware remains an urgent threat and organizations should act now to boost resilience.”

The UK and 38 countries including Australia, Canada, Japan, the United States and New Zealand united with international cyber insurance bodies to back the CRI guidance.

“The endorsement of this best practice guidance by both nations and international cyber insurance bodies represents a powerful push for organizations to upgrade their defenses and enhance their cyber readiness,” Ellison said.

Counter Ransomware Initiative Guidance Recommendations

The CRI said that organizations are encouraged to make preparation, as part of their business continuity plan, and develop and implement their policies, procedures, frameworks, and communications plans in advance of any ransomware incident.

The guidance advises organizations to:

• Consider the legal and regulatory environment around ransomware payments
• Report the incident to the authorities at the earliest opportunity. Timely reporting can help law enforcement investigations as well as allow authorities to provide the necessary assistance to victim organizations
• Evaluate all options and ensure due diligence is a part of the response and recovery plan
• Consult experts where possible such as insurers, national technical authorities, law enforcement or cyber incident response companies familiar with ransomware incidents
• Review the alternatives to paying a ransom. Decisions about payment should be informed by a comprehensive understanding of the impact of the incident and whether payment is likely to change the outcome
• Gather relevant information to assess the impact and legal obligations. This includes considering the technical situation, like the availability of back-ups, and put in place workarounds to manage business disruption
• Assess the impact of the incident in order to be better prepared for instant coverage discussions. Organizations should also evaluate risk to life, personal data or national security if data were published. Any claims about the nature and amount of data stolen should be verified.
• Record decision making to create an auditable trail
• Involve the necessary stakeholders across the organization in decisions, including technical staff and senior decision makers
• Investigate the root cause of the incident and make the necessary preparations to avoid a repeat attack

The guidance is non-binding in nature and does not override specific laws and regulations that may apply across CRI member jurisdictions.

In 2023, a pledge was made by members of the CRI against ransomware payments and that central government funds should not be used to pay ransoms to cybercriminals.

The new guidance comes as Cyber Security Awareness Month begins, which focuses on the importance of businesses building their cyber resilience.

The Guidance was agreed during Fourth International Counter Ransomware Initiative (CRI) Summit annual gathering on October 1, 2024, at the Foreign Service Institute in Arlington, Virginia.