[BreachExchange] Congress Mulls Ban on Big Ransom Payouts Unless Victims Get Official Say-So

[Terrell Byrd]

https://threatpost.com/congress-ban-ransomware-payouts/176213/


A bill introduced this week would regulate ransomware response by the
country’s critical financial sector.

A U.S. lawmaker has introduced a bill – the Ransomware and Financial
Stability Act (H.R.5936) (PDF) – that would make it illegal for financial
firms to pay ransoms over $100,000 without first getting the government’s
permission.

The legislation was introduced on Wednesday by the top Republican on the
House Financial Services Committee, North Carolina Congressman Patrick
McHenry.

“Ransomware payments in the U.S. have totaled more than $1 billion since
2020. Most notably, this past May, a Russian ransomware attack forced
Colonial Pipeline to shut down oil supplies to the eastern United States
before the company paid hackers. As disruptive as this hack was, it pales
in comparison to what would happen if America’s critical financial
infrastructure were to be taken offline,” he said.

“That’s why I’m introducing the Ransomware and Financial Stability Act of
2021. This bill will help deter, deny and track down hackers who threaten
the financial institutions that make the day-to-day economic activity
possible. The legislation will also provide long-overdue clarity for
financial institutions that look to Congress for rules of the road as
ransomware hacks intensify.”

McHenry didn’t cite the source of the $1 billion figure. His office hadn’t
returned Threatpost’s call by the time this article was published, but
we’ll update the article if we do hear back.

At any rate, there’s plentiful consensus around the fact that ransom
payments have spiked: For one, a recent report (PDF) from the U.S. Treasury
predicted that ransomware payments for 2021 could top the tally for the
entire past decade.

A Roadmap for Financial Firms that Get Attacked
The bill is limited to the financial sector, including large securities
exchanges and certain technology providers whose services banks run on.

It would do a few things:

If passed, the bill will require financial institutions to notify the
Treasury’s Financial Crimes Enforcement Network before making a ransomware
payment.
It would also disallow victimized financial outfits from paying ransom in
excess of $100,000 unless they get the go-ahead – a Ransomware Payment
Authorization – either from law enforcement or from the President if he/she
determines that it’s in the country’s national interest.
One of McHenry’s selling points for the legislation is that it would
provide legal clarity for firms when responding to attacks.

The bill ensures that reports of ransomware attacks would stay
confidential. Whatever information a victimized firm were to provide to
authorities would be barred from being made publicly available, though the
government or the courts are exempted from that stipulation.

Yes, Big Ransomware Payments Should Be Verboten
In September, the Wall Street Journal ran a debate article featuring input
from Michael Daniel – president and chief executive of the Cyber Threat
Alliance – who argued that outlawing ransom profits is a no-brainer: “From
a moral and political standpoint, the answer is clearly yes,” he wrote. “We
should not treat ransoms as a cost of doing business in cyberspace.
Accepting such a situation would be analogous to treating pirate tributes
or bribe payments as a cost of international trade. We should institute a
broad, multifaceted counter-ransomware strategy—that culminates in ransom
bans.”

Would ransom bans drive payments underground, as some have argued?

No, he said, pointing to the results of a discussion on the topic from the
Institute for Security and Technology’s Ransomware Task Force, which
concluded that most companies wouldn’t make illegal payments because “most
follow the rules.”

“If they didn’t, why fight government regulations so hard?” Daniel asked.

Archie Agarwal, Founder and CEO at automated threat-modeling provider
ThreatModeler, told Threatpost on Thursday that he can see the rationale
for the bill, and he thinks that the financial industry won’t have any
problem complying if it passes.

“Ransomware is rampaging into a national security threat, and as ransomware
gangs become wealthy due to payments, they are further professionalizing
and using their ill gotten gains to fund faster weaponization of exploits
and to buy zero-days off the shelf to gain entry for their next round of
ransomware,” he said via email.

“Many of us still remember a world in financial meltdown, and the U.S.
government knows this could happen again if one of the financial behemoths
is crippled through ransomware. If the incident became publicly known, fear
could take hold in financial markets causing seismic global problems,”
Agarwal continued. “The U.S. government is sending a message to ransomware
groups that attacks on the financial sector will involve a government
response, and recent commentary has noted growing fear of capture in their
ranks. Financial institutions are already heavily regulated and so they
will not be shocked by this development and will be compliant.”

No, the Decision to Pay Should be Up to Victims
Also weighing in on the debate in the WSJ was Maurice Turner, cybersecurity
fellow at the Alliance for Securing Democracy, who argued that paying
ransom can be cheaper than trying to rebuild systems after a ransomware
attack.

“Time is money,” he wrote. “Sometimes paying a ransom is less expensive
than withholding one — and being forced to laboriously rebuild an IT system
and restore data from backups. And companies often face a choice that could
drastically affect their business: Companies have seen criminals threaten
to leak or sell stolen data if extortion payments aren’t made.”

It’s worth noting that research has shown that paying ransom doesn’t
guarantee that a victimized entity will get its data back. According to
Sophos’  State of Ransomware 2021 report, only 8 percent of ransom-payers
got all their data back, while nearly a third – 29 percent – reported that
they couldn’t recover more than half the encrypted data.

Though he wrote for the WSJ back in September, before McHenry’s
introduction of H.R.5936, Turner offered input that’s relevant to the newly
proposed bill: namely, about the cap of $100,000 that triggers the need to
get permission to pay ransom.

Anything less than that is a tax write-off, he noted: “Today, ransom
payments of any amount can be claimed as a deductible expense for tax
purposes,” he wrote. “The Treasury Department could limit this amount to,
say, as little as $100,000—which would serve to bring down ransom demands.”

A ‘Superficial Economic Notion’
John Bambenek, principal threat hunter at digital IT and security
operations company Netenrich, has a different take. He compared the bill to
the United States’ no-concession approach to paying ransoms in the case of
kidnappings, which RAND has found (PDF) doesn’t work.

“When RAND looked at ransom payments in kidnappings, it found there is no
correlation of a reduction in kidnapping based on the U.S.’s no-concession
approach to ransoms,” Bambenek told Threatpost on Thursday.

He called it a “very superficial economic notion” that trying (or even
succeeding) at stopping ransom payments will have an effect on ransomware.
“What this bill does, assuming Treasury [ever] does deny paying ransoms, is
[tell] businesses that they have to absorb the higher cost of recovery
versus paying ransoms, which just [means] there is one more inflationary
pressure on an already shaking economy.”

Part of a Legislative Trend
The Digital Shadows Photon Research Team put it all in perspective: The
potential ban on paying big ransomware is “yet another part of the recent
legislative push towards a stronger foothold on ransomware,” the team said
in an email to Threatpost on Thursday.

“The proposed legislative changes could leave financial firms in an
extremely difficult position of either suffering the effects of a
ransomware attack without any option to negotiate, or breaking the law,”
the team said. “Banning financial firms from making ransomware payments of
more than $100,000 would not necessarily deter them from paying ransoms,
however. The cost of a ransomware attack is not from the price of a ransom
alone; downtime, recovery and reputational loss could easily cost financial
firms over the proposed payment ceiling.”

The promise of confidentiality could take the sting out of the proposal
while encouraging responsible disclosure, the team added.

“Congress’ recent push for more legislative framework surrounding
ransomware is not an attempt to ensure ransoms are not paid; rather, it is
more likely motivated by providing firms with guidance,” the team said.
“The fact that the legislation only currently applies to financial firms
indicates where the priority is for policy-makers and stakeholders.”

The Digital Shadows Photon Research Team suggested that one possibility is
that ransomware attackers simply demand less than $100,000, or attack
sectors that would be unaffected by the proposed legislation.

“The bottom line is that ransomware operators will be encouraged by
conducting their activity in whatever way makes them money. As long as
victims pay, ransomware attacks will almost certainly continue,” it said.

At this point, the bill, apparently, has neither co-sponsors nor a Senate
version. McHenry’s office hadn’t responded to an inquiry from Threatpost by
the time this story was posted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211112/ce78f1f2/attachment.html>