Inter-agency Counter Ransomware Task Force Releases Report - a Blueprint to Protect Singapore from Ransomware Attacks

30 Nov 2022

The Counter Ransomware Task Force  (CRTF), which was set up to bring together Singapore Government agencies across relevant domains to strengthen Singapore’s counter-ransomware efforts, released its Report today. The recommendations in the CRTF Report serve as a blueprint to drive Singapore’s efforts to foster a resilient and secure cyber environment, domestically and internationally, to counter the growing ransomware threat.

2 The ransomware threat has grown significantly in scale and impact, and has become an urgent problem for countries around the world, including Singapore. It is inherently an international problem, as attackers conduct their operations across borders and jurisdictional lines to evade justice. Fuelled by illicit monetary gains, ransomware has raised a criminal ecosystem, offering criminal services from unauthorised access to targeted networks to money laundering services.

3 To effectively counter the ransomware threat, it is important that Singapore addresses the ransomware problem as both a cross-border and cross-domain challenge. To address the ransomware problem, other countries should also take similar steps domestically to coordinate their cybersecurity, law enforcement, and financial regulatory agencies, and support global cooperation.

4 The work of the CRTF culminated in three key outcomes. First, it developed a consolidated understanding of the ransomware kill chain, upon which Government agencies can coordinate and develop counter-ransomware solutions. Second, it reviewed Singapore’s policy towards making ransom payments to ransomware actors. Third, the CRTF recommended the policies, operational plans, and capabilities under four pillars of action that the Government should consider to counter ransomware effectively:

Pillar 1: Strengthen defences of potential targets (such as Government agencies, critical information infrastructure, and businesses, especially small and medium enterprises) to make it harder for ransomware attackers to launch successful attacks.

a. Organisations should implement risk-mitigation measures such as:

i) a sound credential management policy to prevent unauthorised access, ii) network segregation and segmentation, iii) a robust offline backup system, and iv) a restoration plan to ensure that key assets can be recovered in the event of a ransomware attack.

For Critical Information Infrastructure (CII) owners who operate essential services, the CRTF reviewed the Cybersecurity Code of Practice, which was recently revised in July 2022, and agreed that it provided adequate guidance for owners of CII on the appropriate risk identification and mitigation measures. The CCOP will be regularly updated to ensure that it remains relevant.

Pillar 2: Disrupt the ransomware business model to reduce the pay-off for ransomware attacks.

a. Discouraging ransom payments to reduce the profit that ransomware attackers can expect from setting up ransomware attacks. The Government strongly discourages the payment of ransoms and will continue to highlight the risks and implications of doing so. The CRTF also recommends studying the implications of cyber insurance policies that include coverage of ransom payments on the ransomware industry, and the potential impact if such coverage is disallowed.

b. Tracing the illicit flows of assets paid in ransom (usually in cryptocurrency) more effectively to reduce the likelihood of ransomware attackers being able to abscond with ransom payments. One recommendation is to consider making it mandatory for organisations to report the payment of a ransom. Such information is necessary for the Government to be able to trace these illicit financial flows and claw back ransom payments. The Government will also look into augmenting our tracing capabilities by tapping on public-private partnerships.

Pillar 3: Support recovery so that victims of ransomware attacks do not feel pressured to pay the ransom, which fuels the ransomware industry.

a. Providing resources to victims to help recover from ransomware attacks.
The CRTF recommends creating a one-stop portal for organisations to access all ransomware-related resources, aimed at victims of ransomware attacks seeking recovery support. The portal will provide links to resources, such as decryption keys and response checklists, that could assist in recovery efforts after a ransomware attack. It will also provide information on preventative measures such as CSA’s Cyber Essentials cybersecurity toolkits, and alerts and advisories relevant to ransomware.

b. Encouraging cyber insurance as a risk management practice.
Another recommendation is to explore levers to increase the take-up rate of cyber insurance amongst organisations, while the impact of covering ransom payments is being studied. Even if ransom payments are not covered, obtaining cyber insurance coverage for other potential costs arising from a cyber incident is still a useful risk management practice as it allows an organisation to transfer and/or share the risks arising from a cyber incident with private commercial insurance companies. Such cyber insurance can also incentivise organisations to adopt better cybersecurity measures to meet the underwriting requirements.

Pillar 4: Work with international partners to ensure a coordinated global approach to countering ransomware. The CRTF has identified three specific areas in which Singapore should focus on, and contribute to efforts to foster international cooperation:

a. Law Enforcement. To bring ransomware attackers to justice and deny these criminals safe havens, the CRTF recommends exploring ways to expedite cross-border law enforcement collaboration on a bilateral or plurilateral basis, such as an international framework for information exchange and interdiction of ransom payments.

b. Anti-Money Laundering Measures. The ransomware threat has made evident the need to ensure that regulatory gaps are addressed so that illicit ransom flows can be traced and the abuse of virtual assets stopped. The CRTF recommends that Singapore continues to work with international counterparts towards timely and consistent implementation of FATF standards on combating money laundering and the financing of terrorism and proliferation.

c. Discouraging Ransom Payments. Without international alignment on the insurance policies covering ransom payments, any attempt to discourage these within our domestic market will be ineffective as businesses can easily turn to insurance providers overseas to buy insurance policies. A key recommendation is to work with international partners to study the effects of insurance policies covering ransom payments on the ransomware industry.

4 The recommendations of the CRTF will be taken up by relevant Government agencies for further study and action.

5 Mr David Koh, Commissioner of Cybersecurity, Chief Executive of CSA and Chairman of the CRTF, said: “Ransomware is a threat to our companies and citizens. It can hurt us at many different levels, economically, socially, and even at a national security level. Ransomware is both a cross-border and cross-domain problem. Not only does it require us to work together and draw on our expertise in many domains, such as cybersecurity, law enforcement and financial supervision, it requires us to work with like-minded international partners to find common cause and identify solutions together. We urge organisations and individuals to do their part too, so that we can strengthen our collective defence against the ransomware scourge.”

 

1 The setup of the Counter Ransomware Task Force (CRTF) was first announced by Senior Minister Teo Chee Hean at the Singapore International Cyber Week 2022. The CRTF is chaired by the Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency of Singapore (CSA) David Koh, and comprises senior representatives from CSA, Government Technology Agency, Infocomm Media Development Authority, Ministry of Communications and Information, Ministry of Defence, Ministry of Home Affairs, Monetary Authority of Singapore, and Singapore Police Force, as well as support from the Attorney-General’s Chambers.


 

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. 


CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg