Businesses Could Soon Have to Disclose Ransomware Payouts

Senator Elizabeth Warren of Massachusetts and Representative Deborah Ross of North Carolina announced today in a press release the introduction of the Ransom Disclosure Act that would require businesses who fall victim to ransomware attacks to disclose information regarding payments.

Under this law, victims of attacks would be required to report information regarding the amount paid, the currency of payment and any information on the entity demanding the ransom to the Department of Homeland Security (DHS) within 48 hours of payment.

Through the passage of this bill, Warren and Ross said that DHS will receive data on ransomware payments that will bolster their understanding of how cybercriminal enterprises operate.

"Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals," Warren said in the release. "My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises—and help us go after them."

Hackers : Illustration
The Ransom Disclosure Act requires victims of cybersecurity hacks to tell the DHS information about ransom payments. Above, a hacker with an Anonymous mask on his face and a hood on his head uses a computer on December 27, 2019, in Paris, France. Photo by Chesnot/Getty Images

According to data gathered by the cybersecurity firm SonicWall included in the press release, ransomware attacks jumped by 62 percent worldwide and 158 percent in North America between 2019 and 2020. The FBI received roughly 2,500 ransomware complaints in 2020, up 20 percent from the total recorded in 2019.

The scope and frequency of these attacks has a detrimental effect on these companies and the larger American economy. Not only can attacks shut down agencies providing critical services, but in 2020, these attacks resulted in a loss of over $29 million, according to the SonicWall report.

While the bill's primary focus centers around requiring victims to report ransom payments to DHS, it also would implement three other requirements.

DHS would have to make public the information it gathers on attacks, excluding identifying information of the entities involved. It would also require DHS through which victims can report payment of ransoms. And third, it would direct the DHS secretary to conduct a study on commonalities between attacks and looking at the role of cryptocurrencies within them.

"Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions," Ross said. "The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back. The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation."