Organisations who find their networks hit by a ransomware attack may soon have to disclose within 48 hours any payments to their extortionists.
That’s the intention of the Ransom Disclosure Act, a new bill proposed by US Senator Elizabeth Warren and Representative Deborah Ross.
Ransomware victims are not currently required to report attacks or ransom payments to federal authorities, but the new bill would require all ransomware victims (excluding individuals) to disclose the following information within 48 hours of a ransom payment:
- The date on which the ransom was demanded.
- The date on which the ransom was paid.
- The amount of ransom demanded.
- The amount of ransom paid.
- The currency used to make the payment (including type of cryptocurrency, if cryptocurrency was used).
- Whether the organisation that paid the ransom receives Federal funds.
- Any known information regarding the identity of the extortionist.
According to Warren, the legislation will help to collect data about ransomware attacks, and help to identify just how much money cybercriminals gangs are making from ransomware attacks against businesses, government departments and hospitals:
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”
Corporate ransomware victims would be required under the bill to report their ransom payment to the Department of Homeland Security, which would publish annually on a public website the total dollar amount of ransom payments that had been made.
Information related to the identity of the extortionists would not be published, so as not to interfere with ongoing investigations into ransomware gangs.
In order for the Ransom Disclosure Act to become law it will need to be approved by the US House of Representatives and Senate, before ultimately being signed off by President Joe Biden.
News of the Ransom Disclosure Act comes just weeks after at least one ransomware gang – the Ragnar Locker group – warned victims that they should not co-operate with law enforcement agencies after being attacked, or risk having their compromised data published immediately.
Once again we see a clear indication that cybercrime, and ransomware attacks in particular, have become a hot issue for politicians and law makers. Just this week the US Department of Justice announced that government contractors could be taken to court if they failed to report a security breach or failed to meet required standards for cybersecurity.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.