Ransomware Task Force Urges Tighter Crypto Regulation

Cyber Security News

A taskforce of security industry experts has called for tighter regulation of the cryptocurrency sector in a bid to tackle the global ransomware epidemic.

Convened by the Institute for Security and Technology and trialled since last December, the Ransomware Task Force (RTF) is a team of over 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, and academic institutions.

Its framework document makes five key recommendations to tackle the cyber-threat. The most eye-catching of these is that governments require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading ‘desks’ to adhere to the same regulatory standards as banks. That means following anti-money laundering (AML), Know Your Customer (KYC) and Combatting Financing of Terrorism (CFT) laws.

Other recommendations include that the US government “execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.”

It emerged last week that a new Department of Justice taskforce will work to manage efforts across the federal government to disrupt C&C infrastructure, seize profits, coordinate training and intelligence sharing and more to try and disrupt ransomware groups.

The RTF also called for prioritized law enforcement efforts across jurisdictions and “a clear, accessible, and broadly adopted” international framework to help organizations prepare for, and respond to, ransomware attacks.

However, some security experts were skeptical about the RTF’s recommendations.

ImmuniWeb founder, Ilia Kolochenko, argued that even if cryptocurrencies were regulated, cyber-criminals would find ways to bypass regulations. Indeed, the current AML regulatory regime is widely seen to have failed.

“I’d rather suggest treating the root cause of ransomware: the widespread lack of basic cyber-hygiene,” Kolochenko argued.

“Even the largest organizations from regulated industries often fail to follow the basics: maintain an up-to-date asset inventory, implement risk-based and threat-aware security controls, perform continuous security monitoring and anomaly detection, conduct ongoing security training and awareness, maintain software and patch management programs, and to enforce centralized identity management.”