A new bill introduced by Senator Elizabeth Warren and Representative Deborah Ross, the “Ransom Disclosure Act,” would require ransomware victims to disclose ransom payments within 48 hours of payment — including the amount of ransom demanded and paid the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom.

The bill would provide the Department of Homeland Security (DHS) with critical data on ransomware payments to bolster understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat.

The number of ransomware attacks nearly doubled in the first half of 2021, according to Cognyte research, with 1,097 organizations hit by ransomware attacks in the first half of 2021. In contrast, Cognyte’s 2020 report found 1,112 ransomware attacks for the entire year.

ThycoticCentrify research also suggests that the number of ransomware victim organizations that pay the ransomware is more than reported or expected, says Bill O’Neill, Vice President of Public Sector at ThycoticCentrify. O’Neill adds, “The proposed bill could be an encouraging step in removing the stigma of being a cybersecurity attack victim, helping those businesses realize that they are not alone, and availing them to resources that can help them shore up their cybersecurity defenses to avoid future costly incidents.”

In addition, the bill would:

  • Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;
  • Require DHS to establish a website through which individuals can voluntarily report payment of ransoms; 
  • Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated the attacks and provide recommendations for protecting information systems and strengthening cybersecurity.

While studying and facilitating the voluntary reporting of ransomware payments, both sound to be well within reasonable bounds, Tim Wade, Technical Director, CTO Team at Vectra, says he questions the prudence of compelling non-voluntary disclosure by private parties who determine that such disclosure is not in their best interests or the best interests of their stakeholders and shareholders. Wade adds, “Such actions would appear to weaken some standards of privacy, fairness and liberty with respect to individual protections and the choices individuals may make concerning their best interests within their rights.”

And, while ransomware is on the rise and becoming an increasing threat vector, says Kevin Dunne, President at Pathlock, not much is known about where these attacks are coming from, besides that, they often originate from countries with strained relationships with the U.S. government. 

“To provide a fighting chance against these ransomware attacks, the U.S. federal government is looking to require disclosure of ransomware attacks,” Dunne says. “Right now, victims of these attacks are often embarrassed and shy to release details about the attack for fear of future attacks, reputational brand damage, or other business reasons. However, disclosure of this information is vital for the government to understand: 

  1. Who is conducting these attacks? And who is the ransom going to?
  2. What data are these attackers after? And where are they distributing it, once they get it?
  3. Where are these attacks coming from? And where is the ransom going to?
  4. Why are these attacks happening?
  5. How are attackers accessing these systems and networks?
  6. When are these attacks happening?

“Government and private collaboration are critical to creating a united front against ransomware attacks. While admitting a ransomware attack is a sensitive subject for many organizations, stemming the rising tide of these ransomware attacks can only happen when the government can operate off complete information.”