New US Bill Requires Ransomware Payment Disclosure

Proposed Ransom Disclosure Law in the U.S.

A new legislative proposal is being considered that would require U.S. businesses to report any ransomware payments made within 48 hours of the transaction occurring.

Details of the Ransom Disclosure Act

The Ransom Disclosure Act, spearheaded by Senator Elizabeth Warren and Representative Deborah Ross, would obligate companies and organizations – excluding individual citizens – to submit data regarding ransomware payments to the U.S. Department of Homeland Security.

This data would encompass the amount of the payment, the specific type of cryptocurrency demanded, and the final sum actually paid.

Aimed at Improving Threat Understanding

The primary goal of this bill is to enhance the U.S. government’s comprehension of how cybercriminal organizations function.

Officials hope to gain a more comprehensive understanding of the ransomware threat landscape through this increased data collection.

While Bitcoin is the most common form of payment, security professionals have observed a growing trend towards the use of “privacy coins,” like Monero, which complicate the process of tracing funds.

Reporting Mechanisms and Data Sharing

The Ransom Disclosure Act also mandates that Homeland Security establish a public website.

This website would serve as a platform for organizations to voluntarily report ransomware payments.

Furthermore, the department would be required to publish aggregated information from the previous year’s disclosures, excluding any details that could identify the entities making the payments.

Similar data collection initiatives are already being conducted by independent security researchers.

Rising Ransomware Attacks and Costs

Senator Warren emphasizes the necessity of these measures due to the “skyrocketing” incidence of ransomware attacks.

Data indicates a 158% increase in attacks across North America last year, with global victims paying nearly $350 million in ransom – a surge exceeding 300% compared to 2019.

Importantly, research reveals that ransom payments represent only 20% of the total cost associated with a ransomware attack.

The majority of financial losses stem from decreased productivity and the expenses related to post-attack recovery efforts.

Government Efforts to Combat Cybercrime

“We are currently lacking essential data needed to effectively pursue cybercriminals,” stated Warren.

“This bill, co-authored with Representative Ross, would establish reporting requirements for ransom payments, enabling us to determine the extent of funds being illicitly obtained from American entities to support criminal activities – and ultimately facilitate their prosecution.”

Additional Measures Being Taken

This legislation is just one component of the U.S. government’s broader strategy to combat ransomware.

Last month, the Treasury Department implemented unprecedented sanctions against the cryptocurrency exchange Suex.

These sanctions were issued due to Suex’s involvement in facilitating ransomware payments, with over 40% of its transactions linked to malicious activity.

The Treasury Department also recently cautioned U.S. companies against making payments to threat actors operating in countries subject to U.S. sanctions.