Ransomware law would require victims to disclose ransom payments within 48 hours

The Ransom Disclosure Act aims to provide better information about ransomware attacks to help counter a "skyrocketing" cyber-criminal threat.
Written by Danny Palmer, Senior Writer

Victims of ransomware attacks who choose to pay a ransom to cyber criminals for the decryption key could have to publicly disclose that a payment was made within 48 hours of doing so. 

The Ransom Disclosure Act proposed by US Senator Elizabeth Warren and Representative Deborah Ross would require organisations that fall victim to ransomware attacks and pay the ransom to detail information about the payment. 

Information about ransom payments that would have to be disclosed include the amount of ransom demanded and paid, the type of currency used to pay the ransom – commonly paid in Bitcoin – and any known information about the attackers demanding the ransom. The information would have to be disclosed to the Department of Homeland Security (DHS) within 48 hours of the payment being made. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

The aim of the bill is to provide DHS with better information about ransomware attacks to help counter the threat they pose to businesses and other organisations across the United States. 

"Ransomware attacks are skyrocketing, yet we lack critical data to go after cyber criminals," said Senator Warren. "My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cyber criminals are siphoning from American entities to finance criminal enterprises – and help us go after them." 

The threat of ransomware has loomed large throughout this year and several incidents have had a direct impact on people's daily lives. The Colonial Pipeline ransomware attack led to a shortage of gas in the North Eastern United States as people rushed to stockpile – the company paid cyber criminals millions of dollars in order to get the decryption key.

Meat processor JBS USA paid an $11 million ransom to cyber criminals after falling victim to a ransomware attack in June. While the FBI discourages the payment of ransoms, many victims feel the need to make the payment, perceiving it as the quickest way to get the network up and running again.  

But even with the correct decryption key, restoring the network can still be a slow and arduous process

Many victims are also coerced into making the ransom payment because ransomware cyber criminals steal sensitive information from the network before encrypting it and threaten to leak the data if they're not paid. 

But it's because victims regularly give into extortion demands that ransomware is still so lucrative and attractive for cyber criminals.  

"Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure. Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cyber-criminal enterprises and counter these intrusions," said Congresswoman Ross. 

SEE: Ransomware attackers targeted this company. Then defenders discovered something curious

"The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation," she added. 

Currently, the Ransomware Disclosure Act is just a proposal. In order to become legislation, it will have to be approved by both the House of Representatives and the Senate before it could be signed into law by President Biden. 


Editorial standards