A U.S. lawmaker has introduced a bill – the Ransomware and Financial Stability Act (H.R.5936) (PDF) – that would make it illegal for financial firms to pay ransoms over $100,000 without first getting the government’s permission.
The legislation was introduced on Wednesday by the top Republican on the House Financial Services Committee, North Carolina Congressman Patrick McHenry.
“Ransomware payments in the U.S. have totaled more than $1 billion since 2020. Most notably, this past May, a Russian ransomware attack forced Colonial Pipeline to shut down oil supplies to the eastern United States before the company paid hackers. As disruptive as this hack was, it pales in comparison to what would happen if America’s critical financial infrastructure were to be taken offline,” he said.
“That’s why I’m introducing the Ransomware and Financial Stability Act of 2021. This bill will help deter, deny and track down hackers who threaten the financial institutions that make the day-to-day economic activity possible. The legislation will also provide long-overdue clarity for financial institutions that look to Congress for rules of the road as ransomware hacks intensify.”
McHenry didn’t cite the source of the $1 billion figure. His office hadn’t returned Threatpost’s call by the time this article was published, but we’ll update the article if we do hear back.
At any rate, there’s plentiful consensus around the fact that ransom payments have spiked: For one, a recent report (PDF) from the U.S. Treasury predicted that ransomware payments for 2021 could top the tally for the entire past decade.
A Roadmap for Financial Firms that Get Attacked
The bill is limited to the financial sector, including large securities exchanges and certain technology providers whose services banks run on.
It would do a few things:
- If passed, the bill will require financial institutions to notify the Treasury’s Financial Crimes Enforcement Network before making a ransomware payment.
- It would also disallow victimized financial outfits from paying ransom in excess of $100,000 unless they get the go-ahead – a Ransomware Payment Authorization – either from law enforcement or from the President if he/she determines that it’s in the country’s national interest.
One of McHenry’s selling points for the legislation is that it would provide legal clarity for firms when responding to attacks.
The bill ensures that reports of ransomware attacks would stay confidential. Whatever information a victimized firm were to provide to authorities would be barred from being made publicly available, though the government or the courts are exempted from that stipulation.
Yes, Big Ransomware Payments Should Be Verboten
In September, the Wall Street Journal ran a debate article featuring input from Michael Daniel – president and chief executive of the Cyber Threat Alliance – who argued that outlawing ransom profits is a no-brainer: “From a moral and political standpoint, the answer is clearly yes,” he wrote. “We should not treat ransoms as a cost of doing business in cyberspace. Accepting such a situation would be analogous to treating pirate tributes or bribe payments as a cost of international trade. We should institute a broad, multifaceted counter-ransomware strategy—that culminates in ransom bans.”
Would ransom bans drive payments underground, as some have argued?
No, he said, pointing to the results of a discussion on the topic from the Institute for Security and Technology’s Ransomware Task Force, which concluded that most companies wouldn’t make illegal payments because “most follow the rules.”
“If they didn’t, why fight government regulations so hard?” Daniel asked.
Archie Agarwal, Founder and CEO at automated threat-modeling provider ThreatModeler, told Threatpost on Thursday that he can see the rationale for the bill, and he thinks that the financial industry won’t have any problem complying if it passes.
“Ransomware is rampaging into a national security threat, and as ransomware gangs become wealthy due to payments, they are further professionalizing and using their ill gotten gains to fund faster weaponization of exploits and to buy zero-days off the shelf to gain entry for their next round of ransomware,” he said via email.
“Many of us still remember a world in financial meltdown, and the U.S. government knows this could happen again if one of the financial behemoths is crippled through ransomware. If the incident became publicly known, fear could take hold in financial markets causing seismic global problems,” Agarwal continued. “The U.S. government is sending a message to ransomware groups that attacks on the financial sector will involve a government response, and recent commentary has noted growing fear of capture in their ranks. Financial institutions are already heavily regulated and so they will not be shocked by this development and will be compliant.”
No, the Decision to Pay Should be Up to Victims
Also weighing in on the debate in the WSJ was Maurice Turner, cybersecurity fellow at the Alliance for Securing Democracy, who argued that paying ransom can be cheaper than trying to rebuild systems after a ransomware attack.
“Time is money,” he wrote. “Sometimes paying a ransom is less expensive than withholding one — and being forced to laboriously rebuild an IT system and restore data from backups. And companies often face a choice that could drastically affect their business: Companies have seen criminals threaten to leak or sell stolen data if extortion payments aren’t made.”
It’s worth noting that research has shown that paying ransom doesn’t guarantee that a victimized entity will get its data back. According to Sophos’ State of Ransomware 2021 report, only 8 percent of ransom-payers got all their data back, while nearly a third – 29 percent – reported that they couldn’t recover more than half the encrypted data.
Though he wrote for the WSJ back in September, before McHenry’s introduction of H.R.5936, Turner offered input that’s relevant to the newly proposed bill: namely, about the cap of $100,000 that triggers the need to get permission to pay ransom.
Anything less than that is a tax write-off, he noted: “Today, ransom payments of any amount can be claimed as a deductible expense for tax purposes,” he wrote. “The Treasury Department could limit this amount to, say, as little as $100,000—which would serve to bring down ransom demands.”
A ‘Superficial Economic Notion’
John Bambenek, principal threat hunter at digital IT and security operations company Netenrich, has a different take. He compared the bill to the United States’ no-concession approach to paying ransoms in the case of kidnappings, which RAND has found (PDF) doesn’t work.
“When RAND looked at ransom payments in kidnappings, it found there is no correlation of a reduction in kidnapping based on the U.S.’s no-concession approach to ransoms,” Bambenek told Threatpost on Thursday.
He called it a “very superficial economic notion” that trying (or even succeeding) at stopping ransom payments will have an effect on ransomware. “What this bill does, assuming Treasury [ever] does deny paying ransoms, is [tell] businesses that they have to absorb the higher cost of recovery versus paying ransoms, which just [means] there is one more inflationary pressure on an already shaking economy.”
Part of a Legislative Trend
The Digital Shadows Photon Research Team put it all in perspective: The potential ban on paying big ransomware is “yet another part of the recent legislative push towards a stronger foothold on ransomware,” the team said in an email to Threatpost on Thursday.
“The proposed legislative changes could leave financial firms in an extremely difficult position of either suffering the effects of a ransomware attack without any option to negotiate, or breaking the law,” the team said. “Banning financial firms from making ransomware payments of more than $100,000 would not necessarily deter them from paying ransoms, however. The cost of a ransomware attack is not from the price of a ransom alone; downtime, recovery and reputational loss could easily cost financial firms over the proposed payment ceiling.”
The promise of confidentiality could take the sting out of the proposal while encouraging responsible disclosure, the team added.
“Congress’ recent push for more legislative framework surrounding ransomware is not an attempt to ensure ransoms are not paid; rather, it is more likely motivated by providing firms with guidance,” the team said. “The fact that the legislation only currently applies to financial firms indicates where the priority is for policy-makers and stakeholders.”
The Digital Shadows Photon Research Team suggested that one possibility is that ransomware attackers simply demand less than $100,000, or attack sectors that would be unaffected by the proposed legislation.
“The bottom line is that ransomware operators will be encouraged by conducting their activity in whatever way makes them money. As long as victims pay, ransomware attacks will almost certainly continue,” it said.
At this point, the bill, apparently, has neither co-sponsors nor a Senate version. McHenry’s office hadn’t responded to an inquiry from Threatpost by the time this story was posted.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops.
Register NOW for the LIVE event and submit your questions ahead of time via the registration page.