leidensecurityand­globalaffairsblog

Public-Private Partnership ‘Melissa’: Combatting Ransomware Signing of the Project 'Melissa' Agreement at the ONE Conference 2023

Public-Private Partnership ‘Melissa’: Combatting Ransomware

Over the last decades, ransomware incidents have surged all around the globe. To address this growing threat, a public-private partnership (PPP) called ‘Melissa’ was initiated in 2022 in the Netherlands, uniting Dutch public entities (e.g., police, NCSC) and private cybersecurity firms.

Ransomware is the most common form of cybercrime worldwide. In a ransomware attack, cybercriminals infiltrate a system and often encrypt critical data; the owner or processor can only regain access to this data after paying a ransom – although payment does not guarantee the decryption of the data. Cybercriminals frequently exfiltrate important documents and/or personal data as part of a ransomware attack to use as leverage in negotiations, for instance, by (threatening to) leak documents or selling or granting access to personal data. While the first ransomware case was reported in 1989, it has proliferated since 2005, initially targeting individuals but later shifting focus to (large) public and private organisations due to the substantially higher potential gains. Since 2015, ransomware attacks have become more complex and professional, the ransom demands have increased exponentially, and the economic and societal impact of this phenomenon has surged.

Ransomware attacks can cause serious damage. It is now estimated that the total cost of ransomware attacks reach tens, if not hundreds, of billions of dollars. However, the impact of ransomware attacks for victims goes beyond the large sums of money demanded by cybercriminals. As has been stated elsewhere: “Ransomware’s effects are not just monetary, as the loss of the files themselves (or the costs of ransom) may be eclipsed by the loss of ‘client trust, relationships, and reputation’.” In addition, potentially unsafe situations can arise, such as when hospitals or energy plants fall victim to a ransomware attack, halting vital societal processes. In such cases, a ransomware attack on an organisation can have a broader impact on society and national security.

Ransomware in the Netherlands

In 2023, the Dutch police reported 147 organisations in the Netherlands fell victim to ransomware attacks. However, the question remains whether these figures fully capture the scope of the ransomware phenomenon in the Netherlands as only a small number of organisations report a breach to the police. This is also confirmed by research of Blom et al. on the basis of surveys conducted by insurers that revealed that 26% of all Dutch companies would have been victimised by ransomware in 2022. Some notable ransomware attacks in the Netherlands include that of Maastricht University (December 2019), the Municipality of Hof van Twente (December 2020) and the attack on the Dutch Football Association KNVB (September 2023).

Project Melissa

Against this background, representatives from public (i.e. Police, the Public Prosecution Service, the National Cyber Security Centre (NCSC)) and private cybersecurity organizations initiated a new collaboration in 2022 to combat ransomware. The incentive was the belief that knowledge and information about ransomware threats was still highly fragmentized, which hindered the effective identification and tackling of ransomware threats. This public-private partnership (PPP) was named ‘Melissa (*).’ Within Melissa, parties aim to systematically exchange knowledge and information and collaborate occasionally on specific investigations to collectively contribute to making Dutch public and private organisations less attractive targets for ransomware attacks.

Lessons from Melissa

Due to the complexity and far-reaching consequences of cyberattacks, PPPs are regarded worldwide as a potential solution. However, existing literature offers little theoretical guidelines on how effective partnerships can be established. In fact, it turns out that in practice, collaboration between public and private parties are often complicated, costly and vulnerable due to organisational boundaries, differing interests and a lack of a shared sense of priority.

In a recent evaluation, it was concluded that collaboration within project Melissa has proven to be highly valuable in combating ransomware. It has not just resulted in successful actions against large criminal ransomware groups that received broad media coverage and several whitepapers potentially enhancing victim resilience. Melissa has also yielded sustainable networks, shared working practices and clear ethical frameworks for investigating and combatting ransomware throughout the chain. The shared belief of cybersecurity organisations is that Melissa has had a longlasting impact on the cybersecurity sector in the Netherlands.

Project Melissa offers interesting insights into what drives effective public-private partnerships in the field of cybersecurity. It reveals the importance of social relationships, trust, clear norms, a strong shared purpose, the role of key members and a willingness to recognize others’ contributions to success. The project also revealed that partnerships between public and private parties do not arise spontaneously and are no easy feat. It is an intensive project requiring the structural efforts of the involved stakeholders. As such, cases such as that of Project Melissa are indispensable to learn more about how to work on security in a digital age.

(*) The name Melissa originates from a meeting between public and private organisations in the spring of 2022. During this meeting, an incident response team shared an audio recording of a negotiation with a ransomware group. It turned out that the negotiator, who introduced herself as Melissa, had previously negotiated with several others present. What stood out was that these were all different ransomware groups. This revealed that negotiators can apparently be hired by various groups – highlighting that ransomware criminals operate in highly organized networks.