G7 sounds the alarm on the ransomware growing threat

The G7 expresses its concern over the use of malicious cyber-attacks, especially ransomware. The group reports in an annex to the Finance Ministers and Central Bank Governors’s Statement on Digital Payments, that malware attacks against hospitals, financial institutions, schools, and other critical infrastructure in G7 countries have been growing in scale, sophistication, and frequency. Attacks have intensified in the last two years, and illicit actors have exploited the pandemic to conduct ransomware attacks. For many companies, ransomware causes significant economic damage and threatens customer protection and data privacy. Ransomware attackers demand payments primarily in virtual assets to facilitate money laundering. The payment of ransoms demanded by these criminals can incentivize further malicious cyber activity; benefit malign actors and fund illicit activities; and present a risk of money laundering, terrorist financing, and proliferation financing (ML/TF/PF), and other illicit financial activity.

The Group’ Finance Ministers and Central Bank Governors urge all countries to effectively implement the Financial Action Task Force (FATF) standards to reduce cybercrime access to and exploitation of financial services

G7 ministers call upon all countries to effectively implement the Financial Action Task Force (FATF) standards to reduce cybercrime access to and exploitation of financial services, particularly the updated FATF standards on virtual assets. This, because the financial services sector has become an attractive target for ransomware attacks, and financial institutions have reported increased sophistication in malicious cyber-enabled attacks in recent months. Some prominent strains of ransomware have been linked to groups that are vulnerable to influence by state actors. Examples demonstrate that virtual assets play an important role in most ransomware attacks. In instances where the victim does not own enough virtual assets to pay the ransom, he will often send funds via wire transfer, automated clearinghouse, or credit card payment to an exchange to purchase the type and amount designated in the ransom demand. From there the victim will send the virtual asset, often from a wallet hosted at the exchange, to the criminal- designated account or address.

Covid-19 pandemic has expanded opportunities for ransomware attackers

According G7, the COVID-19 pandemic has expanded opportunities for ransomware attackers. Phishing emails using coronavirus-related subject lines or content are the latest method to get targets to click on malware links. Threat actors deploying ransomware also use fraudulent notifications for updates delivered through email or a compromised website to trick users into downloading the malware. Ransomware attacks can impose devastating consequences on victims and those that depend on them. Not only can the financial costs be high, but the disruption to critical sectors, including financial services and healthcare, as well as the exposure of confidential information, can cause severe damage. The payment of ransom may encourage future ransomware payment demands, especially against the victim or type of victim that has proven profitable in the past.

People behind malware are of different kind, from cyber criminals to terrorists, passing through state-sponsored hackers

Ransomware is primarily a profit-seeking endeavor, and its purveyors generally focus on the most lucrative targets, such as those with significant sources of funding or those with limited cyber security protection. Ransomware attackers are cyber criminals, many of whom are involved in transnational organized crime groups, and a received ransom payment constitutes criminal proceeds. Those criminals that have employed the use of malware may also be linked to states seeking to evade sanctions. Malware proceeds could also be used to finance terrorism once they have been converted into anonymously-held funds by a victim payment into an unidentified virtual asset wallet. If employed by a state-sponsored or linked actor, ransomware payments could offer a possible profit source to finance the proliferation of weapons of mass destruction.

How the G7 cybersecurity community will react against this threat

To counter the cybercrime threat, G7 jurisdictions will share information related to ransomware. This including financial intelligence and cyber tactics, techniques, and procedures where possible as appropriate and to the greatest extent possible under applicable law in order to guide coordinated action. This includes, but is not limited to, exploring opportunities for coordinated targeted financial sanctions, consistent with national law and regulation, against ransomware operators and their facilitators and promoting available technical innovations to protect cyber assets. The G7 further commits to lead by example in implementing and encouraging the worldwide implementation of AML/CFT obligations on virtual assets and virtual asset service providers considering that the FATF has updated its standards to clarify their application to virtual assets and virtual asset service providers. Mitigating the threat before an incident is a key component. Companies need to move beyond traditional perimeter security to defend against ransomware, by employing layered security to prevent, detect, and remediate malicious activity that may be conducted within the network. Companies may also consider altering their own internal response and recovery plans in light of the potential sanctions violations particularly if current plans consider paying a ransom.