Proposed Bill Would Require Ransomware Victims to Disclose Ransom Amount

Sen. Elizabeth Warren, D-Mass., and Rep. Deborah Ross, D-N.C., introduced a bill last week that would require ransomware attack victims who paid a ransom demand to disclose to the federal government the amount paid to the threat actor. 

The bill, entitled the Ransom Disclosure Act, is designed to gather information on ransomware attacks which she believes will help the Department of Homeland Security formulate a better response to the ransomware threat facing the country. 

"Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals," Warren said in a statement. "My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises -- and help us go after them." 

Rep. Deborah Ross, D-N.C., and Sen. Elizabeth Warren, D-Mass. 

If passed, the bill would require: 

• That ransomware victims (excluding individuals) disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom; 
• DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms; 
• DHS to establish a website through which individuals can voluntarily report payment of ransoms;  
• Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity. 

Ransomware by the Numbers

Warren cited FBI statistics for 2020 that said the agency received nearly 2,500 ransomware complaints that year, up 20% from 2019, and identified losses of over $29 million. 

Such payments have continued in 2021, with threat actors forcing several major corporations to pay a ransom.  

One of the more prominent attacks took place this summer when the DarkSide cyber gang infiltrated ransomware into Colonial Pipeline's network through an old VPN.  

The malware forced the company to shut down its fuel pipelines, pay a $4 million ransom and have the data of 5,800 current and former employees compromised. The FBI was able to recover $2.3 million by tracking the bitcoin payment to a wallet it controlled.  

Trustwave researchers stated in a blog post that there were 304 million attacks worldwide in 2020 alone, a 64% increase from 2019.  

The  official stance is it does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee that an organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity, the FBI said. 

Anne Neuberger, deputy national security adviser for cyber and emerging technology, noted during a conference earlier this year Federal government does not ban victims from paying ransoms. 

Trustwave's Recommendations for Ransomware Preparedness 

Trustwave has a variety of resources available to help in the case of an attack, along with several general proactive recommendations to help stave off an attack.  

Trustwave's Digital Forensics & Incident Response team can help identify the breach, measure its impact, secure evidence, and be your advisor in handling the press, employees, and law enforcement agencies, as well as, provide litigation support.  

To secure a network from ransomware Trustwave recommends: 

• Antivirus protection provides an essential layer of defense, despite being weaker and more outdated than other methods. Make sure it is updated and always on. 
• Patching is critical: Your vulnerable systems will be the first to be targeted, if not actively monitored and updated. 
• Invest in an application audit. Understanding what "normal" looks like for your applications will better alert you to what is deemed suspicious. While application whitelisting may cause reservations for some IT teams, if a company has a handle on what apps are running and required from a business standpoint, it helps security prioritize what is a true threat. Audits increase confidence to ensure there is important context surrounding what is whitelisted and any exceptions. 

Organizations also cannot forget the human factor when it comes to defending against ransomware. 

Ransomware often requires human action to be successful, which makes people the critical part of a ransomware attack. Many ransomware attacks start with phishing emails combined with exploit kits. So, it is critical for organizations of all sizes to educate their employees on cybersecurity hygiene, particularly how to recognize and avoid suspicious links and attachments. Doing so has been shown to help reduce the number of successful attacks. 

One way to bolster an employee’s ability to detect and avoid ransomware, according to Trustwave’s security researchers, is through an on-going security awareness training program that instructs staffers on what to avoid, such as clicking on unknown or suspicious links that appear in emails or attachments. And to report any potential attacks to the Information Security team for support.

Cybersecurity Awareness Month

Trustwave is supporting the 2021 Cybersecurity Awareness Month, which is sponsored by Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Cybersecurity Alliance (NCSA), with a series of blog posts and webinars.