In an effort to better understand and clamp down on the ransomware economy and its related use of cryptocurrencies, US Senator and past presidential hopeful Elizabeth Warren and US House Representative Deborah Ross introduced a new bill last week that would require companies and organizations to report any paid ransomware demands to the Secretary of the Department of Homeland Security.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren in a prepared release. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises—and help us go after them.”
If passed, the “Ransom Disclosure Act” would require a broad set of companies, local governments, and nonprofits that actually pay off ransomware demands to report those payments to the government. Companies would need to report this information within 48 hours of paying a ransom.
Specifically, those affected by the bill would need to tell the Secretary of the Department of Homeland Security:
- The date on which such ransom was demanded
- The date on which such ransom was paid
- The amount of such ransom demanded
- The amount of such ransom paid
Companies would also need to disclose what currency they paid the ransom in, including whether the payment was made with any cryptocurrency. Companies would also have to offer “any known information regarding the identity of the actor demanding such ransom.”
The bill’s focus on cryptocurrencies acknowledges the technology’s core role in ransomware today, as likely not a single big ransomware payment has been made for years in anything other than crypto. But this reliance on cryptocurrency seems to finally be catching up to ransomware criminals, as cryptocurrency, while providing somewhat decent pseudonymity, instead provides incredible records. And international police are now excelling at following those records.
In June, the US Department of Justice announced that, after following a series of cryptocurrency transactions across cyberspace, it eventually retrieved much of the ransomware payment that Colonial Pipeline paid to recover from its own ransomware attack in May. And earlier in October, Europol said it provided “crypto-tracing support” when the FBI, the French National Gendarmerie, and the Ukrainian National Police seized $375,000 in cash and another $1.3 million in cryptocurrencies during related arrests against "two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million)."
This work, while encouraging in the fight against ransomware, largely happens in the dark, though, as ransomware payments made by companies are still kept considerably private. The Ransom Disclosure Act, then, seeks to shine a light on that darkness to better aid the fight. Said US House Representative Ross:
"Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions."
The Ransom Disclosure Act would also require the Secretary of Homeland Security to develop penalties for non-compliance and to, one year after the passage of the bill, publish a database on a public website that includes ransom payments made in the year prior. That database must be accessible to the public, and it must include the “total dollar amount of ransoms paid” by companies, but the companies’ identifying information must be removed. The information gleaned from the incoming reports must also be packaged into a study by the Secretary of Homeland Security that specifically explores “the extent to which cryptocurrency has facilitated the kinds of attacks that resulted in the payment of ransoms by covered entities,” and the Secretary of Homeland Security must also then present the findings of that study to Congress.
Finally, according to the bill, individuals who make ransomware payments after personally being hit with ransomware must also have a way to voluntarily report their information to the government if they so choose.