States weigh bans on ransomware payoffs — GCN | #itsecurity | #infosec

States weigh bans on ransomware payoffs

As ransomware attacks continue to wreak havoc on police departments, school districts and city and county governments, some state legislators say they’ve had enough.

At least three states—New York, North Carolina and Pennsylvania—are considering legislation that would ban state and local government agencies from paying ransom if they’re attacked by cybercriminals. A similar bill in Texas died in committee earlier this year.

Prohibiting ransom payments would help deter attacks because cybercriminals would know they couldn’t get paid and would have no financial incentive, the legislators say.

“If criminals know that Pennsylvania will not pay ransom, we are going to make ourselves a less likely target for these types of attacks,” said Republican state Sen. Kristin Phillips-Hill, who is sponsoring a no-ransom bill. “Our citizens’ personal information is on the line. We have to do everything we can to protect them.”

But some cybersecurity experts say that while banning ransom payments may be well-intentioned, it’s a bad idea because local governments, particularly smaller ones, may not be able to restore or rebuild their computer networks quickly. That could prove even more costly and disruptive than paying a ransom.

“Extortion is always wrong. It’s bad. But this way, you’re punishing the victim,” said Dan Lohrmann, chief security officer for Security Mentor, a national cybersecurity training firm that works with states. “I think it could end up causing more harm than good.”

Ransomware typically spreads through phishing, in which hackers email malicious links or attachments and people unwittingly click on them. Malware then hijacks the victim’s computer system and holds it hostage until the victim either pays a ransom, usually with the cryptocurrency bitcoin, or restores the system on their own.

In recent months, the fallout from ransomware attacks has received widespread public attention. In May, the Colonial Pipeline shutdown sparked panic buying and gas shortages along the East Coast. The company paid more than $4 million to recover its stolen data. In June, JBS, the world’s largest meat processing company, paid an $11 million ransom after it was forced to halt operations at its U.S. plants.

Last week, the Biden administration announced the creation of a multiagency task force to combat ransomware and launched a new website to help companies and government agencies better protect themselves.

Hackers frequently take aim at state and local governments. In 2020, at least 113 state and local governments were affected, according to Brett Callow, a threat analyst for cybersecurity company Emsisoft. Nearly 1,700 schools, colleges and universities also were struck.

Hackers have shut down courts, disrupted 911 systems and prevented police officers from checking suspects’ criminal histories during traffic stops. They have taken down government websites and prevented residents from paying utility bills or renewing city licenses.

For years, hackers typically didn’t steal the ransomed data or make it public. But now, many are downloading files and threatening to release sensitive information as additional leverage if they don’t get paid.

Some have made good on that threat.

In May, for example, the city of Tulsa, Oklahoma, was hit in a ransomware attack in which cybercriminals later posted more than 18,000 files, mostly police citations and internal department files, on the dark web. Hackers got access to more than two dozen people’s Social Security numbers. City officials, who refused to pay ransom, had to shut down part of Tulsa’s computer network and said it could be months before it is fully restored.

The FBI “does not support” paying a ransom in response to an attack. Nor does the federal Cybersecurity and Infrastructure Security Agency, which strongly discourages it.

“Paying ransoms only encourages this malicious activity,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in an emailed statement to Stateline. “Further, paying a ransom provides no assurance that the victim’s data will be restored.”

State bans

The North Carolina House was the first state legislative chamber to pass a no-ransom bill. The House approved the measure 114-0 in May, and it is now in a Senate committee.

The bill would bar any state agency or local government entity from paying ransom in a cyberattack.

“The main objective is to take a target off of North Carolina’s back,” said Republican state Rep. Jake Johnson, one of the bill’s primary sponsors. “We’re saying we cannot negotiate with you. It’s not legal for us to pay anything. You need to stay away from North Carolina.”

Johnson, who chairs the House Information Technology Appropriations Committee, also is proposing lawmakers allocate an additional $15 million to help state and local agencies beef up their cybersecurity.

“If you think of a small county, they don’t have the capital to go out and hire big firms to do their cybersecurity,” he said. “My vision is we would have grants set up that would help counties and local governments that need it.”

In Pennsylvania, legislators are considering a broader ransomware bill that would make possessing, using or transferring ransomware a criminal offense, ranging from a first-degree misdemeanor to a first-degree felony, depending on the ransom amount. While these actions could fall under a more general computer crime state statute, the bill would make it a specific offense and increase the maximum penalty.

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

sixty three + = sixty six