A new US bill would force companies to disclose ransomware payments

A new proposed law would compel businesses in the U.S. to disclose any ransomware payments within 48 hours of the transaction.

The bicameral Ransom Disclosure Act, drafted by Sen. Elizabeth Warren and Rep. Deborah Ross, would mandate companies and organizations — though not individuals — to provide the U.S. Department of Homeland Security data on ransomware payments, including the amount and type of cryptocurrency demanded and the sum that was paid.

The bill aims to bolster the U.S. government’s understanding of how cybercriminal enterprises operate and help officials develop a fuller picture of the ransomware threat. While ransom payments are typically made in bitcoin, security experts say threat actors are increasingly moving towards “privacy coins,” such as Monero, which make it harder for investigators to trace where the money goes.

Read more on TechCrunch

The Ransom Disclosure Act would also require Homeland Security to set up a website for organizations to voluntarily report payment of ransoms, as well as to share information disclosed during the previous year, excluding identifying information about the entities that paid up. Similar efforts by security researchers already exist.

Warren says these measures are needed due to the “skyrocketing” number of ransomware attacks; attacks rose by 158% in North America last year, and victims worldwide paid nearly $350 million in ransom — a more than 300% increase over 2019, data shows. What’s more, recent research found that ransom payments account for just 20% of the total cost of a ransomware attack, with businesses suffering the majority of their losses through lost productivity and post-attack recovery.

“We lack critical data to go after cybercriminals,” said Warren. “My bill with [Representative] Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”

It’s not the only tactic the U.S. is employing in a bid to crack down on ransomware.

Last month, for example, the Treasury Department issued first of its kind sanctions against cryptocurrency exchange Suex for its role in facilitating ransom payments after finding that over 40% of its total transactions were associated with bad activity. The Treasury also recently warned American companies that they are prohibited from paying threat actors based in countries subject to U.S. sanctions.