U.S. – Congress considers ban on large ransom payments without victims’ official consent
A U.S. lawmaker this week introduced a bill – the Ransomware and Financial Stability Act (H.R.5936) – that would prohibit financial firms from making ransom payments of more than $100,000 without first obtaining government approval.
The bill was introduced Wednesday by the ranking Republican on the House Financial Services Committee, Congressman Patrick McHenry of North Carolina.
A detailed report in “Threadpost” reveals that some of the experts have sharply divergent opinions. Background: In 2020, ransomware payments totaling more than a billion dollars were extorted in the United States. Most notably, in May of this year, a Russian ransomware attack forced Colonial Pipeline to halt oil shipments to the eastern U.S. before the company could pay the hackers. As disruptive as that hack was, it pales in comparison to what would happen if America’s critical financial infrastructures were taken offline,” McHenry posited.
That, he said, is why he is introducing the Ransomware and Financial Stability Act of 2021. The goal, he said, is to “deter, defend against, and detect hackers” when they threaten financial institutions.
McHenry, according to “Threadpost” , did not cite a source for the $1 billion figure. But there is broad consensus on the fact that ransomware has skyrocketed. A recent report from the U.S. Treasury Department predicted that ransomware payments in 2021 could surpass the figures for the entire last decade.
One of McHenry’s selling points for the legislation is that it provides legal certainty for companies responding to attacks. The bill ensures that reports of ransomware attacks remain confidential. Any information an affected company provides to authorities may not be made public, although the government or courts are exempt from this provision.
In September, the Wall Street Journal published a discussion article with contributions from Michael Daniel, president and CEO of the Cyber Threat Alliance, who argued that banning ransomware profits is a no-brainer: “From a moral and political standpoint, the answer is clearly yes,” he wrote. “We should not treat ransomware as a cost of doing business in cyberspace. To accept such a situation would be akin to treating pirate tributes or bribes as a cost of international trade. We should adopt a broad, multi-layered strategy to combat ransomware, culminating in a ban on ransomware.”
Would a ban on ransomware drive payments underground, as some have argued?
No, he said, pointing to the results of a discussion on the issue by the Institute for Security and Technology’s Ransomware Task Force, which concluded that most companies would not make illegal payments because “most follow the rules.”
but the debate revealed other opinions from experts. For example, Maurice Turner, cybersecurity fellow at the Alliance for Securing Democracy, argued that paying a ransom could be cheaper than trying to restore systems after a ransomware attack.
“Time is money,” he stressed. “Sometimes it’s cheaper to pay a ransom than to withhold a ransom – and then be forced to painstakingly restore an IT system and recover data from backups. Companies are often faced with a decision that could drastically impact their business: Companies have seen criminals threaten to share or sell stolen data unless extortion payments are made.”
However, he was countered that several studies have shown that paying ransom is no guarantee that an affected company will get its data back. According to Sophos’ State of Ransomware 2021 report, only 8 percent of ransomware payers got their data back, while nearly a third – 29 percent – reported that they were unable to recover more than half of the encrypted data.
John Bambenek, senior threat hunter at Netenrich, a digital IT and security operations firm, compared the bill to the U.S. approach of not paying ransoms in kidnappings, which RAND says doesn’t work.
“When RAND looked at ransom payments in kidnappings, it found that there was no correlation between the U.S. not paying ransom and a decrease in kidnappings,” Bambenek told the media Thursday.
He called it a “very shallow economic notion” that trying (or even succeeding) to stop ransomware will have an impact on ransomware. “Assuming the Treasury would refuse to pay ransom, this law would tell companies that they have to bear the higher cost of recovery compared to paying ransom, which will only put further inflationary pressure on an already beleaguered economy,” he said.
The Digital Shadows Photon Research team put it all in perspective: the potential ban on paying for ransomware is “another part of the recent legislative push to crack down more on ransomware,” the team said in an email to Threatpost on Thursday.
“The proposed legislative changes could put financial firms in the extremely difficult position of either suffering the effects of a ransomware attack without the ability to negotiate, or breaking the law,” the team said. “However, banning ransomware payments of more than $100,000 would not necessarily deter financial firms from making ransomware payments. The cost of a ransomware attack does not come from the price of the ransom alone; downtime, recovery, and reputational damage could easily cost financial firms more than the proposed payment cap.”
The promise of confidentiality could take the sting out of the proposal while encouraging responsible disclosure, the team added.
“The recent push by Congress for more regulatory frameworks related to ransomware is not an attempt to ensure that no ransom is paid; rather, it is likely about providing guidance to businesses,” the team said. “The fact that the legislation currently only applies to financial firms indicates where the priority lies for policymakers and stakeholders.”
The Digital Shadows Photon Research team suggested that one possibility is that ransomware attackers could simply charge less than $100,000 or attack sectors that would not be affected by the proposed legislation.
“The bottom line is that ransomware operators will be emboldened by conducting their activities in ways that make them money. As long as victims pay, ransomware attacks will almost certainly continue,” it said.
!”Threadpost” summed up: At this point, the bill apparently has neither cosponsors nor a Senate version. McHenry’s office had not responded to a request from “Threatpost” at the time of this article’s publication.