Singapore releases blueprint to combat ransomware attacks

Inter-agency task force set up to boost the country's counter-ransomware efforts offers guidelines on how to mitigate such attacks, including a reference "kill chain" and recommendations on whether to pay the ransom.
Written by Eileen Yu, Senior Contributing Editor

Singapore has released what it says is a blueprint to combat growing ransomware threat and offer guidelines on how to mitigate such attacks. These include a reference ransomware "kill chain" and recommendations on whether to pay ransom demands. 

Ransomware risks had increased significantly in scale and impact, becoming an "urgent" problem that countries including Singapore must address, said Cyber Security Agency (CSA) in a statement Wednesday.  

"It is inherently an international problem, as attackers conduct their operations across borders and jurisdictional lines to evade justice" the government agency said. "Fuelled by illicit monetary gains, ransomware has raised a criminal ecosystem, offering criminal services from unauthorised access to targeted networks to money laundering services."

To effectively address the challenge, it underscored the need to coordinate cybersecurity, law enforcement, and financial regulatory agencies as well as support global collaboration. 

This had prompted Singapore to establish an inter-agency task force early this year, comprising senior representatives from various ministries and government agencies including CSA, Government Technology Agency, Ministry of Defence, Monetary Authority of Singapore, and Singapore Police Force.  

The task force focused on three primary outcomes encompassing a reference model for a ransomware kill chain, which would serve as the foundation for government agencies to coordinate and develop counter-ransomware solutions. It also reviewed the country's policies towards making ransom payments and established recommendations of operational plans and capabilities needed to combat ransomware effectively. 

The kill chain outlines five stages of a ransomware attack, starting from the phases before it is activated and when attackers gain access to the targeted system and and execute preparatory steps, such as data exfiltration and removal of backups. Stealth is a priority here and attackers have been known to carry out these stages months before activation, according to the blueprint. 

It highlighted that "prevention is better than cure", the report noted, adding that cutting the skill chain at the initial two stages should be the priority. 

"Having a common reference model of a ransomware kill chain will allow countries to better understand each other, facilitate information sharing, benchmark counter-ransomware best practices, and identify gaps in existing national measures," the task force said in the report. 

The blueprint also supported Singapore's stance that payment of ransoms should be "strongly discouraged", as doing so would further fuel the ransomware problem since that was the attacker's main objective.

Furthermore, paying the ransom neither guaranteed the decryption of data nor that the data would not be published by the hackers. The task force noted that organisations that opted to pay the ransom could be identified as "soft" targets and be hit again

In addition, payment of ransoms in such attacks under certain circumstance may breach the Terrorism Act 2002, which criminalises the financing of terrorist acts. 

With this in mind, the task force recommended government agencies and owners of critical information infrastructures (CII) consider the risk and notify CSA and law enforcement, in the event of a ransomware attack, before making any ransom payment.

it also suggested the government looked at four key action plans, including strengthening the cyber defence of high-risk targets, such as CIIs and government agencies, as well as supporting recovery so victims of ransomware attacks did not feel pressured to pay the ransom. 

According to CSA, the number of reported ransomware cases totalled 137 last year, up 54% from 2020, with SMBs from sectors such as manufacturing and IT mostly falling victims to such attacks. It added that ransomware groups targeting SMBs in Singapore tapped the ransomware-as-a-service model, which made it easier for amateur hackers to use existing infrastructure to push out ransomware payloads. 


Editorial standards