Democrats propose law to mandate disclosure of ransomware payments by US companies

American companies targeted by ransomware attacks would be required to disclose payments made in connection with those incidents under a new law proposed in Congress.

Introduced by Senator Elizabeth Warren (D-MA) and Representative Deborah Ross (D-NC), the Ransom Disclosure Act would, per an announcement from earlier this week:

"[R]equire ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom."

Additionally, the bill proposes that the U.S. Department of Homeland Security be required to make disclosure information available on an annual basis, though no identifying information about the payees would be disclosed. DHS leadership would also establish a web portal for voluntary disclosure and prepare a study "on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity."

"Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises -- and help us go after them," Warren said in a statement.

Ransomware as a cybersecurity challenge has taken on greater prominence over the course of 2021, with the Biden White House as well as Congress pushing for action in this area. Cryptocurrency as a payment method for such attacks has come under scrutiny, as evidenced by the particular nature of the proposed DHS reporting.

A new cryptocurrency-focused team announced Wednesday by the Department of Justice is focused in part on "tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups."