Organisations who find their networks hit by a ransomware attack may soon have to disclose within 48 hours any payments to their extortionists.

That’s the intention of the Ransom Disclosure Act, a new bill proposed by US Senator Elizabeth Warren and Representative Deborah Ross.

Ransomware victims are not currently required to report attacks or ransom payments to federal authorities, but the new bill would require all ransomware victims (excluding individuals) to disclose the following information within 48 hours of a ransom payment:

• The date on which the ransom was demanded.
• The date on which the ransom was paid.
• The amount of ransom demanded.
• The amount of ransom paid.
• The currency used to make the payment (including type of cryptocurrency, if cryptocurrency was used).
• Whether the organisation that paid the ransom receives Federal funds.
• Any known information regarding the identity of the extortionist.

According to Warren, the legislation will help to collect data about ransomware attacks, and help to identify just how much money cybercriminals gangs are making from ransomware attacks against businesses, government departments and hospitals:

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”

Corporate ransomware victims would be required under the bill to report their ransom payment to the Department of Homeland Security, which would publish annually on a public website the total dollar amount of ransom payments that had been made.

Information related to the identity of the extortionists would not be published, so as not to interfere with ongoing investigations into ransomware gangs.

In order for the Ransom Disclosure Act to (Read more...)