A new law has been proposed in the United States that would place new obligations on the shoulders of ransomware victims.
Submitted by Senator Elizabeth Warren and Congresswoman Deborah Ross, the Ransomware Disclosure Act would require businesses to disclose any ransom payments within 48 hours of the transaction.
If the proposal is turned into law, all ransomware victims “engaged in interstate commerce” will have to provide the Department of Homeland Security (DHS) with the ransom payment sum, the currency and any information they might know about the attackers.
The act does not require all ransomware victims to engage with the DHS, however, only those who choose to concede to demands.
The ransomware dilemma
The main dilemma for every ransomware victim is to pay or not to pay. Often, the fastest way to recover from a ransomware attack is to give in to demands, but there is no guarantee systems will be restored and data returned as promised, and paying ransom fees only incentivizes further attacks.
One the other hand, businesses that choose not to engage with criminals face significant losses as a result of downtime, as well as reputational damage if the attacker loses patience and publishes their data online.
According to Senator Warren, the Ransomware Disclosure Act is designed to give the DHS the intelligence it needs to unpick this catch-22 and disrupt the economics of ransomware.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. [The bill] would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them,” said Warren.
Congresswoman Ross also expressed concerns about the scale and severity of the ransomware threat, and emphasized the importance of collaboration between private enterprise and the government in tackling the issue.
“Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions. The data this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation,” she said.