Breaking news! In the past 24 hours, US Senator Elizabeth Warren and Representative Deborah Ross have proposed a Ransom Disclosure Act which will require US organisations that become victims to attacks to disclose any ransomware payments made as well as vital information on their attackers within 48 hours of the transaction.
ExtraHop’s Vice President of Security Response Services, Mark Bowling, made the following comment:
“The 48 hour disclosure requirement is an important step in our ability to understand the scope of and combat the advanced extortionate threat known as ransomware. Right now, we almost certainly vastly underestimate the scope of the problem because victims of ransomware attacks have no reason to disclose the information. Disclosure to US authorities is a critical first step, but it’s not enough. If the victim organization happens to be part of critical infrastructure, then they should also be required to report the attack and subsequent payment to any associated departments that have regulatory authority or interest over that infrastructure. If the ransom disclosures are subject to FOIPA, the bill should also require that companies provide notice to shareholders and to their board of directors. Finally, even if individual ransom payments are not subject to public disclosure via FOIPA, the government should be required to report aggregate data about ransom attacks and payments to Congress, the GAO, and other interested parties.”