The Counter Ransomware Initiative Takes the Fight to Hackers — But Commitments Appear Lackluster 

At the White House’s third annual Counter Ransomware Initiative (CRI) summit this week, participating countries expanded their efforts to combat ransomware by launching information-sharing platforms and pledging not to pay ransomware extortion in hopes of making these attacks less lucrative. However, this pledge’s loopholes and limited scope may render it ineffective. 

The CRI is the largest international partnership tasked with deterring and disrupting ransomware attacks. Representatives from 48 countries, the European Union, and INTERPOL attended the recent summit. As the impact of ransomware continues to grow, so too does CRI membership, with 13 new members joining the coalition this year. 

The summit focused on measures to build partner capacity, launching information sharing platforms and fighting back against ransomware hackers. Lithuania created the Malware Information Sharing Platform, an open-source threat intelligence platform. Israel and the United Arab Emirates jointly created the Crystal Ball, an information sharing platform with databases, virtual coordination platforms, and contact lists. The U.S. Justice Department commended Israel’s continued commitment to CRI even as it is battling Hamas terrorists following the October 7 massacre of Israeli civilians. These information-sharing platforms will allow CRI member states to quickly identify and react to ransomware attacks, learning from the experiences of their international partners to stay one step ahead of hackers. 

Most notably, at the summit, the White House encouraged CRI members to pledge that their national governments and relevant institutions under their authority will not pay ransomware extortion demands. This pledge comes as ransomware is on track for its second-most profitable year after 2021. Reports indicate that at least 40 member states have signed on to the pledge in hopes of deterring hackers from targeting their systems, knowing that successful attacks will not result in a payout. 

While this pledge helps cement global norms against giving in to ransomware demands, the details of the pledge indicate that it is closer to idealistic rhetoric than actionable policy. The commitment not to pay extortion fees grants exceptions for emergency situations, which can be left up for interpretation. Because of this wiggle room, ransomware groups may not be deterred from attacking government entities and could simply focus on hacking important systems that they know they can still extort, including within governments. Additionally, the pledge does not extend to state or local governments or any part of the private sector, leaving ample targets for ransomware groups. 

Alongside efforts to improve member states’ capacity to combat ransomware, the CRI should continue to attract new, like-minded states to its ranks to cement global norms against ransomware. In addition to pledging to not pay ransoms themselves, member states should also encourage businesses and state and local governments to refuse to pay extortion fees and help these organizations be resilient against ransomware so that they do not have to pay. Developing internal policies that discourage ransomware payments by all entities can be a more effective way to dry up hackers’ profits than focusing solely on government statements. 

Michael Sugden is a research analyst and editorial associate with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from the author and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.