UPDATED US Senator Elizabeth Warren has proposed a new piece of legislation that will force organizations to disclose when and how much they have paid to ransomware gangs.
Last week, together with Representative Deborah Ross, Warren announced the Ransom Disclosure Act, which aims to provide the Department of Homeland Security (DHS) with critical data on ransomware payments in order to “bolster our [the government’s] understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat”.
Warren said the reporting of ransomware payouts will help the government “to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them”.
Disclosure
If passed, the bill would require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment, and any known information about the entity demanding the ransom.
It will also require the DHS to publicly report the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms, and to establish a website through which individuals can voluntarily report payment of ransoms.
The law will also mandate the Secretary of Homeland Security to carry out a study focused on finding patterns among ransomware attacks and the extent to which cryptocurrency facilitated these attacks, and to provide recommendations for protecting information systems and strengthening cybersecurity.
Increasing attacks
A news release from Warren’s team noted the rising frequency of ransomware attacks across the nation.
Between 2019 and 2020, the release said that ransomware attacks rose by 158% in North America.
In 2020, it reported, the FBI received nearly 2,500 ransomware complaints, up 20% from 2019 and accounting for losses of over $29 million.
This is evident by the increasing number of ransomware attacks impacting predominantly the healthcare, education, and critical infrastructure industries in the US.
Callum Roxan, head of threat intelligence at F-Secure, commented: “Governments know ransomware is a problem, but just how much of a problem is unclear. Compulsory reporting of ransomware payments can help shed light on the true scale of the problem and not just the tip of the iceberg we see reported in the media.“The legislation may run in to issues on reporting based on how and where organizations decide to pay the ransom. If they organise payment through and intemediary will they have to report?
“If they pay the ransom from a company in their portfolio that is not under US jurisdiction (aka abroad) will they have to declare? There will always be ways round this type of legislation, but if constructed well it can have a positive impact on informing government of the real scope of the issue.“The most interesting aspect of the suggested legislation is the directive to the DHS to investigate the cryptocurrency facilitation of ransomware. This may spark further legislation and focus on this medium by the US government. It certainly will help arm it with the information it needs to decide if this is an effective avenue for combatting ransomware.”
This article has been updated to include further comment.