Credit: solarseven There is a new ransomware attack in the headlines nearly weekly. Several high-profile attacks in the last year were disastrous for the victim organizations, and even caused supply chain disruptions, including two that impacted the oil and meat processing industries.These attacks are also costly. According to Sophos’ State of Ransomware report, the average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, and ransom paid is US$1.85 million.With no signs of slowing down, what can be done to stop this global crisis? The ransomware plague deserves a global response with concrete actions. The US federal government and its partners can take meaningful anti-ransomware action around the world with these three steps. Stop paying ransomsAs long as victims pay ransoms, criminals will still be incentivized to launch ransomware attacks. That’s why all organizations that are part of a federal, state, or local government supply chain need to commit not to pay ransoms. The commitment should come in the form of a contractual agreement not to pay with partners and vendors.The government should play a role in helping to make this idea more acceptable by issuing a recommendation to organizations not to pay and instead emphasize the need to invest in defenses against ransomware. Regulate cryptocurrency exchanges If ransomware groups only have a few places where they can safely cash out their ransom payments, it will be less lucrative to earn illegal income from these attacks. That’s why the cryptocurrency exchanges where cybercriminals convert their ransoms into hard currencies must be regulated – this way criminals cannot easily convert crypto earnings from ransomware attacks.In order for this to happen, the US government should pass cryptocurrency laws and anti-money laundering policies that prevent American-based crypto companies from being used as currency exchanges for ransomware attackers. The US should also work with allies and international groups like the UN and G-7 to apply these policies on an international level. Mandate IT hygiene and breach disclosureThere is a reason why ransomware attacks are still so successful: many companies still lack basic IT hygiene. Employees need education about spear-phishing, two-factor and multifactor authentication, deploying basic endpoint protection, and backing up data to off-network and off-site storage.While companies that contract with the federal government are obligated to follow baseline levels of cybersecurity, IT hygiene should also be mandated in some way for commercial organizations. One way? Make it part of compliance with certifications, versus trying to pass laws that mandate this behavior. Certifications are easier to update than laws, meaning vendor compliance also stays up to date.To fight back against ransomware attacks, we need to understand the scope and breadth of the problem, which is why breach disclosure should also be mandated. But any mandate for breach disclosure reporting must be applied carefully. It should not be deployed as a punishment for breach, but rather as an awareness measure. Mandates should emphasize that swift disclosure provides faster visibility into attacks – and faster action to protect themselves.It’s time now for global organizations and government entities to band together and take a stand against ransomware. These actions can serve as a meaningful roadmap to stopping this plague on business from continuing to devastate victims around the world.Sophos works with organizations to help them tackle the threat of ransomware. Learn more at Sophos.com. Related content brandpost Sponsored by Sophos 5 Cyber Criminal Ransomware Mistakes to Make You Smile By Joan Goodchild Jan 26, 2022 3 mins Ransomware brandpost Sponsored by Sophos You’ve Been Hit by Ransomware. Now What? By Joan Goodchild Jan 24, 2022 4 mins Ransomware brandpost Sponsored by Sophos Raccoon Stealer Campaign Highlights Robust Industrialized Criminal Market By Joan Goodchild Dec 16, 2021 3 mins Malware brandpost Sponsored by Sophos New Dirty Tricks and the Latest Insights on Phishing By Joan Goodchild Dec 08, 2021 3 mins Phishing PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe