Skip to content
A bill introduced in the US this week would regulate ransomware response by the country’s critical financial sector.
A US lawmaker has introduced a bill – the Ransomware & Financial Stability Act (H.R.5936) (PDF) – that would make it illegal for financial firms to pay ransoms over $100k without first getting the govt.’s permission.
Top Republican
The legislation was introduced on Wed. by the top Republican on the US House Financial Services Committee, N. Carolina Congressman Patrick McHenry.
“Ransomware payments in the US have totalled more than $1b since 2020. Most notably, this past May, a Russian ransomware attack forced Colonial Pipeline to shut down oil supplies to the eastern US before the company paid hackers.
As disruptive as this hack was, it is insignificant in comparison to what would happen if America’s critical financial infrastructure were to be taken offline,” he said.
Ransomware & Financial Stability Act
“That’s why I’m introducing the Ransomware & Financial Stability Act of 2021. This bill will help deter, deny & track down hackers who threaten the financial institutions that make the day-to-day economic activity possible.
The legislation will also provide long-overdue clarity for financial institutions that look to Congress for rules of the road as ransomware hacks intensify.”
McHenry did not cite the source of the $1b figure.
There’s plentiful consensus around the fact that ransom payments have increased: a recent report (PDF) from the US Treasury predicted that ransomware payments for 2021could exceed the total for the entire past decade.
A Roadmap for Financial Firms
The US bill is limited to the financial sector, including large securities exchanges, & certain technology providers whose services banks run on.
It would do a few things:
- If passed, the bill will require financial institutions to notify the Treasury’s Financial Crimes Enforcement Network before making a ransomware payment.
- It would also disallow victimised financial outfits from paying ransom in excess of $100k unless they get permission – a Ransomware Payment Authorisation – either from law enforcement or from the President if he/she determines that it is in the US’s national interest.
Legal Clarity
One of McHenry’s main points for the legislation is that it would provide legal clarity for firms when responding to attacks.
The bill ensures that reports of ransomware attacks would stay confidential. Whatever information a victimised firm were to provide to authorities would be barred from being made publicly available, though the govt. or the courts are exempted from that stipulation.
Big Ransomware Payments Should Be Forbidden
In Sept., the Wall Street Journal ran a debate article featuring input from Michael Daniel, President & CEO of the Cyber Threat Alliance – who argued that outlawing ransom profits is a no-brainer: “From a moral & political standpoint, the answer is clearly yes,” he wrote.
“We should not treat ransoms as a cost of doing business in cyber-space. Accepting such a situation would be analogous to treating pirate tributes or bribe payments as a cost of international trade. We should institute a broad, multifaceted counter-ransomware strategy—that culminates in ransom bans.”
Drive Payments Underground
Would ransom bans drive payments underground, as some have argued?
No, he stated, pointing to the results of a discussion on the topic from the US Institute for Security & Technology’s Ransomware Task Force, which concluded that most companies wouldn’t make illegal payments, because “most follow the rules.”
“If they didn’t, why fight govt. regulations so hard?” Daniel asked.
Archie Agarwal, Founder and CEO at automated threat-modelling provider Threat Modeler, explained that he can see the rationale for the bill, & he thinks that the financial industry will not have any problem complying if it passes.
National Security Threat
“Ransomware is rampaging into a national security threat, & as ransomware gangs become wealthy due to payments, they are further professionalising & using their ill-gotten gains to fund faster weaponization of exploits & to buy zero-days off the shelf to gain entry for their next round of ransomware,” he observed.
“Many of us still remember a world in financial meltdown, & the US Govt. knows this could happen again if one of the financial behemoths is crippled through ransomware.
Publicly Known
If the incident became publicly known, fear could take hold in financial markets causing seismic global problems,” Agarwal continued.
“The U.S. Govt. is sending a message to ransomware groups that attacks on the financial sector will involve a govt. response, & recent commentary has noted growing fear of capture in their ranks.
Financial institutions are already heavily regulated & so they will not be shocked by this development & will be compliant.”
Decision to Pay Should be Victims
Also entering the debate in the WSJ was Maurice Turner, Cyber-Security Fellow at the US Alliance for Securing Democracy, who argued that paying ransom can be cheaper than trying to rebuild systems after a ransomware attack.
“Time is money,” he wrote.
“Sometimes paying a ransom is less expensive than withholding one & being forced to laboriously rebuild an IT system & restore data from backups. Companies often face a choice that could drastically affect their business: Companies have seen criminals threaten to leak or sell stolen data if extortion payments aren’t made.”
No Guarantee
Note that research has shown that paying ransom does not guarantee that a victimised entity will get its data back. According to Sophos’ State of Ransomware 2021 report, only 8% of ransom-payers got all their data back, while nearly a 3rd – 29% – reported that they couldn’t recover more than half the encrypted data.
Though he wrote for the WSJ in Sept., before McHenry’s introduction of H.R.5936, Turner offered input that is relevant to the new proposed bill: that is, about the cap of $100k that triggers the need to get permission to pay ransom.
Anything less is a tax write-off, he noted: “Today, ransom payments of any amount can be claimed as a deductible expense for tax purposes,” he wrote. “The US Treasury Department could limit this amount to, say, as little as $100k—which would serve to bring down ransom demands.”
‘Superficial Economic Notion’
John Bambenek, Principal Threat Hunter at digital IT & security operations company Netenrich, has a different take. He compared the bill to the US no-concession approach to paying ransoms in the case of kidnappings, which RAND has found (PDF) doesn’t work.
“When RAND looked at ransom payments in kidnappings, it found there is no correlation of a reduction in kidnapping based on the US’s no-concession approach to ransoms,” Bambenek outlined.
He called it a “very superficial economic notion” that trying (or even succeeding) at stopping ransom payments will have an effect on ransomware.
“What this bill does, assuming Treasury ever does deny paying ransoms, is telling businesses that they have to absorb the higher cost of recovery versus paying ransoms, which just mean there is 1 more inflationary pressure on an already shaking economy.”
Legislative Trend
The US Digital Shadows Photon Research Team put it all in perspective: The potential ban on paying big ransomware is “yet another part of the recent legislative push towards a stronger foothold on ransomware,” the team explained.
“The proposed legislative changes could leave financial firms in an extremely difficult position of either suffering the effects of a ransomware attack without any option to negotiate, or breaking the law,” the team stated.
Not Necessarily Deter
“Banning financial firms from making ransomware payments of more than $100k would not necessarily deter them from paying ransoms, however.
The cost of a ransomware attack is not from the price of a ransom alone; downtime, recovery & reputational loss could easily cost financial firms over the proposed payment ceiling.”
The promise of confidentiality could take the sting out of the proposal while encouraging responsible disclosure, the team added.
Legislative Framework
“the US Congress’ recent push for more legislative framework surrounding ransomware is not an attempt to ensure ransoms are not paid; rather, it is more likely motivated by providing firms with guidance,” the team outlined.
“The fact that the legislation only currently applies to financial firms indicates where the priority is for policy-makers & stakeholders.”
Unaffected by the Proposed Legislation
The Digital Shadows Photon Research Team suggested that 1 possibility is that ransomware attackers simply demand less than $100k, or attack sectors that would be unaffected by the proposed legislation.
“The bottom line is that ransomware operators will be encouraged by conducting their activity in whatever way makes them money. As long as victims pay, ransomware attacks will almost certainly continue,” it stated.
At this point, the Bill, seemingly, has neither co-sponsors nor a US Senate version.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/
