US Lawmakers Propose Requirement To Report Ransomware Payments To DHS Within 48 Hours

I have argued for some time now that when it comes to ransomware gangs, if you make it unpalatable to pay the ransom, then the incentive to run these types of campaigns drops dramatically. This this proposal got my attention. Victims of ransomware attacks would be required to report payments to their hackers within 48 hours under a proposal from Democratic Senator Elizabeth Warren and Democratic Representative Deborah Ross:

The Ransom Disclosure Act would give the Department of Homeland Security data on ransomware payments, including the amount of money demanded and paid, and the type of currency used. The lawmakers say this is essential to bolster the U.S. government’s understanding of how hackers operate and the extent of the ransomware threat. “Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” Warren said in a statement on Tuesday.

While this is a good first step, it isn’t enough. If I ruled the universe, I would make it illegal to pay the ransom either directly or through a third party for plausible deniability reasons. If you include jail time for any employee that authorizes ransom payment on behalf of a company, or any third party that facilitates the payment, ransoms would stop. Think of it as the high tech version of “we don’t negotiate with terrorists” mantra backed by jail time. Ransomware companies would have difficulty operating in such an environment methinks.

Leave a Reply

%d bloggers like this: