New Law Would Force Victims of Ransomware to Admit They Paid

The United States has proposed a new law that would impose new responsibilities on the shoulders of ransomware victims.

The Ransomware Disclosure Act, introduced by Senator Elizabeth Warren and Congresswoman Deborah Ross, requires businesses to disclose any ransom payments within 48 hours following the transaction.

If the bill becomes law, all ransomware victims who have been impacted by the legislation “engage in interstate commerce” will be required to provide the Department of Homeland Security (DHS) with the ransom payment amount, currency, and any information they may have about the attackers.

The measure does not demand that all ransomware victims communicate with DHS; only those

The problem of ransomware

The question for every ransomware sufferer is whether or not to pay up. The quickest approach to recover from a ransomware assault is typically to comply with demands, but there’s no assurance that systems will be restored and data returned as promised, and paying ransom costs just encourages more attacks. On the other hand, companies who choose not to deal with criminals face significant losses in terms of downtime and reputation damage if the attacker loses patience and posts their data on the internet.

The Ransomware Disclosure Act, according to Senator Warren, is meant to provide the DHS with the information it needs to untangle this catch-22 and disrupt ransomware’s economics.

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. [The bill] would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them,” said Warren.

Congresswoman Ross stressed the need for collaboration between the private sector and the government in combating ransomware, stating that she was “troubled by [the] magnitude and severity” of the problem.

“Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions. The data this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation,” she said.