Next Steps for the International Counter Ransomware Initiative

Remote Visualization

It is normal for a new administration to look cautiously at initiatives it inherits from its predecessor. There are instances where this caution is justified and others where it is not. In this transition, one initiative that deserves continued U.S. support is the International Counter Ransomware Initiative (CRI). The CRI offers a more effective approach to international cooperation and addresses a major cyber threat. It has become self-sustaining with support from its many members. The CRI amplifies U.S. influence and leadership in ways that cannot be easily duplicated. 

Ransomware is the fastest-growing cybercrime, where criminals encrypt victim data and demand payment for its release. This affects businesses of all sizes, from corporations to hospitals and schools. Ransomware attacks cause significant financial and reputational damage. The United States is a prime target, experiencing nearly half of all global attacks in 2023. Ransomware is a global criminal enterprise with sophisticated actors. These criminals operate internationally, exploiting digital infrastructure and leveraging “sanctuary” countries like Russia that will not cooperate with other nations’ law enforcement agencies. The transnational nature of ransomware makes it a complex challenge for international security and requires coordinated action between the United States and its partners to effectively combat it.

The United States led the effort to establish the CRI in the aftermath of the Colonial Pipeline attack after realizing that it could not manage these threats on its own. The CRI began in October 2021 after meetings in Washington of ministers and officials from 31 countries and the European Union. It has now grown to over 70 countries and international organizations and its work focuses on developing the capabilities to disrupt attackers, denying access to the digital infrastructures they use, sharing information and best practices, and supporting victim states. It parallels, to an extent, collaborative efforts in the intelligence community on cyber threats and responses.

The CRI is made up of four “pillars”: the Policy Pillar (led by Singapore and the United Kingdom), the International Counter Ransomware Task Force (ICRTF) (led by Australia and Lithuania), the Diplomacy and Capacity Building Pillar (led by Germany and Nigeria), and the Private Sector Advisory Group (led by Canada). Since its inception, the United States has served as the initiative’s chair and secretariat. The CRI is a White House initiative. It would be difficult for any agency to lead an international effort of this scope with issues that cut across major agencies—including the Department of Justice, the Department of the Treasury, the Department of Homeland Security, and the Department of State.

The fourth CRI summit was held in October 2024 with 68 countries and organizations (three more countries have joined since then). Members reaffirmed CRI’s commitments to resilience, cooperation, and disruption through the policy, diplomacy, and capacity-building pillars, and the ICRTF. The initiative launched a new public-private sector advisory panel, led by Canada, establishing a trusted set of private-sector partners for CRI members to rely on when faced with responding to ransomware attacks. 

The CRI is focused on international crime and not directly on international security. This makes it uniquely attractive to a broad set of countries. The CRI members share a deep concern over international cybercrime and are willing to participate and take leadership roles in a way that would not be the case if the United States called for nations to join an initiative focused on geopolitical cyber actions by states like Russia and others. Ransomware does not raise the diplomatic concerns that a broader security effort would bring, making it possible to bring together a broad range of countries from all regions of the world that are willing to collaborate on tangible actions to improve cybersecurity.

This is a key feature of the CRI. Unlike many other cyber initiatives, it goes beyond statements and takes coordinated action against cybercriminals through joint disruption actions. The Initiative developed platforms to rapidly share threat indicators, including Lithuania’s Malware Information Sharing Project and Israel and the United Arab Emirates’ Crystal Ball platforms, and agreed to assist any CRI member with incident response if their government or critical sectors experience a ransomware attack.

The CRI has more than tripled in number since its creation. This reflects not only the severity and danger of the ransomware problem. It is an expression of the hunger in many nations for a collaborative approach. One precedent for collaboration comes from the Financial Action Task Force (FATF). FATF is an intergovernmental group that coordinates action to prevent money laundering and terrorist financing. FATF has a “light” organizational structure with the chair and secretariat rotating annually among its 39 members and working groups that focus on specific issues. FATF’s plenary, comprised of all member countries and organizations, meets annually to set policy and consider recommendations.

As the initiative evolves, it may need a more formal structure. In 2025, Australia, Germany, the United Kingdom, and Singapore will lead a Steering Committee to guide and manage CRI activities over the next year. The establishment of the steering committee reflects the initiative’s collective commitment to ensuring continuity and stability in the CRI as we adapt to evolving threats posed by ransomware actors. Leads of the Policy Pillar, ICRTF, Diplomacy and Capacity Building Pillar, and the Private Sector Advisory Group will continue their ongoing work under this new Steering Committee. This will help further operationalize CRI. There has been progress in this area, but more is needed.

The ICRTF is currently chaired by Australia and Lithuania, and it supports ongoing counter-ransomware operations undertaken by members individually or cooperatively, including information sharing, resilience, disruption, and capacity building by developing collective best practices for countering ransomware. The task going forward is how to extend the work of the ICRTF and connect CRI governments with industry for both defensive and disruptive activities.

The new administration faces several issues in moving ahead with the CRI. One of the first involves the questions of size and continued expansion. The CRI has grown dramatically, a reflection expression of the interest of many countries for a collective response to cybercrime. But there has been concern among a few members that expansion may dilute the CRI’s sense of purpose and overtax its resources. Continued expansion does offer benefits. Members have made commitments to combating ransomware; collaborating by sharing information, best practices, and resources; and aligning national policies with CRI goals. The CRI offers an alternative for assistance not available elsewhere, and adding members increases its influence and effectiveness (starting with information and capacity building).

Other areas of focus for the initiative include:

  • The CRI discourages payments to ransomware attackers, copying in part the non-payment precedent developed for hostage situations. The CRI made the first-ever collective statement last year that member governments will not pay ransoms. There has been reluctance by members, however, to endorse a full ban. Working with insurance companies, the CRI has developed guidance for companies in deciding whether to pay a ransom, including the extent of insurance coverage but how to extend this and whether to continue to push for a full ban is an issue.
  • Digital currency makes ransomware payments easier and less traceable. The increased ease of monetization that cryptocurrencies provide is another reason cybercrime has increased. Cryptocurrency is an invaluable tool for cybercrime and is central to ransomware attacks, but it is not going away. How to manage the risk of cryptocurrency will be a continuing issue for the CRI (along with the international banking community and law enforcement).
  • The issues of attribution and the impositions of consequence to create accountability pose difficult problems. This is not imposing consequences on cybercriminals—existing law is adequate for that—but on the nations that provide sanctuary to them. Consequences mean the range of internationally lawful responses available to states that are the victims of ransomware attacks. While there has been some progress towards the imposition of consequences, CRI could help develop common views among its member nations on the range of consequences, how to anchor them in a rules-based approach to international order, and how to present them to a global audience.
  • A key part of information sharing and decisions on consequences is the attribution of the source of an attack. Attribution touches on information sharing and best practices and requires common understanding. One of the strengths of the CRI is that it is not all one nothing, but common attribution standards among members would help to make the political case for collective action.
  • The ICRTF is a key component of the CRI and is intended to deliver practical tools and operational capabilities. Its success hinges on strong international cooperation, effective information sharing, and the continuous development of new tools and techniques to combat changing ransomware technology. ICRTF faces challenges, including coordinating law enforcement and intelligence sharing across countries with varying legal systems and cyber capabilities, making building better cybersecurity capabilities a central task for the new team.

There is a strong case for continuing the CRI. 

First, note that the new steering committee will continue with or without the United States, but participation gives the United States unparalleled influence in cybersecurity cooperation and strengthens its own defenses. 

Second, ransomware is not a problem that one nation, even the United States, can take on by itself. The CRI provides the necessary collective approach. 

Third, neither the United Nations nor any of the various treaty bodies are adequate for addressing the ransomware problem. New kinds of international bodies, less formal and less Western, are required to win the support of the newly emerging powers (like India, Nigeria, or Mexico) that are reshaping the international order, and many of these emerging powers are CRI members. The CRI gives the United States a platform to build broad partnerships with nations that might not otherwise be interested.

But the most important reason for the CRI is the need for a coordinated international response to one of the major threats in cyberspace. For this coordinated response, it is irreplaceable.

James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.