Ransom Disclosure Act: US bill mandates organizations to report ransomware payments
11 October 2021 at 14:02 UTC
Updated: 11 October 2021 at 14:03 UTC
Newly proposed law hopes to further understanding of cybercrime landscape
US Senator Elizabeth Warren has proposed a new piece of legislation that will force organizations to disclose when and how much they have paid to ransomware gangs.
Last week, together with Representative Deborah Ross, Warren announced the Ransom Disclosure Act, which aims to provide the Department of Homeland Security (DHS) with critical data on ransomware payments in order to “bolster our [the government’s] understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat”.
Warren said the reporting of ransomware payouts will help the government “to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them”.
If passed, the bill would require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom.
It will require the DHS to publicly report the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms, and will require DHS to establish a website through which individuals can voluntarily report payment of ransoms.
The law will also mandate the Secretary of Homeland Security to carry out a study focused on finding patterns among ransomware attacks and the extent to which cryptocurrency facilitated these attacks, and to provide recommendations for protecting information systems and strengthening cybersecurity.
A news release from Warren’s team noted the rising frequency of ransomware attacks across the nation.
Between 2019 and 2020, the release said that ransomware attacks rose by 158% in North America.
In 2020, it reported, the FBI received nearly 2,500 ransomware complaints, up 20% from 2019, which identified losses of over $29 million.
This is evident by the increasing number of ransomware attacks impacting predominantly the healthcare, education, and critical infrastructure industries in the US.