A new bill would require public and private entities to report on ransomware payments, including the nature of currency used, to DHS within 48 hours.
Key lawmakers praised recent actions administration officials have taken to crack down on perpetrators of ransomware attacks who use cryptocurrency exchanges to cover their tracks and want to know how they can help.
“It is reassuring that, despite the technical and diplomatic challenges posed by ransomware attacks, your departments have recognized the urgency of protecting our communities and infrastructure from ransomware attacks,” reads a letter the lawmakers sent Friday to the attorney general, and leaders of the departments of State, Treasury and Homeland Security. “What resources or authorities, if any, do your agencies need from Congress in order to better coordinate with partner nations on illicit activity facilitated through cryptocurrency exchanges or to seize ill-gotten virtual assets?”
The letter was signed by Sens. Edward Markey, D-Mass., and Sheldon Whitehouse, D-R.I., and Reps. Ted Lieu, D-Calif., and Jim Langevin, D-R.I. It cited a tremendous increase in both the number of ransomware attacks and the size of the ransoms paid to hackers over the last year and urged the department heads to better coordinate their activities to tackle the challenge posed by the use of cryptocurrencies which can provide a degree of anonymity to the transactions.
“In 2020 alone, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received reports of 2,474 ransomware attacks involving losses of over $29.1 million,” the letter reads. “This represents a 20% increase in reported ransomware incidents and a 225% increase in ransom amounts demanded by hackers since 2019.”
The lawmakers also noted data showing the vast majority of ransomware attacks—70% to 75%—go unreported. This is “often out of fear that reporting an attack will bring bad publicity and, for publicly traded businesses, negatively impact share price,” they said.
Various bills in Congress are attempting to change that by requiring entities to report cybersecurity incidents to the Department of Homeland Security.
On Tuesday, Sen. Elizabeth Warren, D-Mass., and Rep. Deborah Ross, D-N.C., introduced legislation that would require entities, including private companies and local governments, to report ransomware payments within 48 hours. It gives the DHS secretary the authority to decide on penalties for noncompliance.
On Wednesday, the Senate Homeland Security and Governmental Affairs Committee approved a bill—with an exemption for small businesses—that would require entities to report ransomware payments within 24 hours. That bill relies on subpoenas to enforce reports and provides companies with liability protections so their disclosures can’t be used in lawsuits against them.