US Lawmakers Propose Requirement To Report Ransomware Payments To DHS Within 48 Hours

I have argued for some time now that when it comes to ransomware gangs, if you make it unpalatable to pay the ransom, then the incentive to run these types of campaigns drops dramatically. This this proposal got my attention. Victims of ransomware attacks would be required to report payments to their hackers within 48 hours under a proposal from Democratic Senator Elizabeth Warren and Democratic Representative Deborah Ross:

The Ransom Disclosure Act would give the Department of Homeland Security data on ransomware payments, including the amount of money demanded and paid, and the type of currency used. The lawmakers say this is essential to bolster the U.S. government’s understanding of how hackers operate and the extent of the ransomware threat. “Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” Warren said in a statement on Tuesday.

While this is a good first step, it isn’t enough. If I ruled the universe, I would make it illegal to pay the ransom either directly or through a third party for plausible deniability reasons. If you include jail time for any employee that authorizes ransom payment on behalf of a company, or any third party that facilitates the payment, ransoms would stop. Think of it as the high tech version of “we don’t negotiate with terrorists” mantra backed by jail time. Ransomware companies would have difficulty operating in such an environment methinks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: