The Ransom Disclosure Act and Defending Against Complex RansomOps™

On October 5, U.S. Senator Elizabeth Warren (D-Mass.) introduced the Ransom Disclosure Act. She framed it as something that could help the U.S. government learn more about how ransomware operations work.

As quoted in a press release announcing the bill:

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises -- and help us go after them.”

The Ransom Disclosure Act comes with several primary provisions for realizing those ends. First and foremost, it requires victims who’ve paid a ransom payment to disclose that they’ve done so within 48 hours. At that time, they must also provide supporting information about the ransom payment including how much they paid, what currency they used, and any information they might have about who made the ransom demand in the first place.

Second, the U.S. Department of Homeland Security (DHS) will remove identifying information collected from victims who paid during the preceding year and make those details public. It will also be responsible for creating a website through which victims can disclose having paid a ransom amount.

Using that data, the DHS Secretary will then search for commonalities and provide recommendations for how the U.S. government can strengthen the cybersecurity of its systems against ransomware actors.

Ransom Disclosure Act Could Help the Government But Hurt Victims

To its credit, the U.S. government is taking a multi-pronged approach to counter ransomware. In the beginning of October, for instance, CNN reported that the Biden Administration was working on convening a meeting of 30 countries at the White House to address the threat of ransomware. The goal of the meeting will be to help “accelerate our cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically,” as quoted from a press release.

Simultaneously, the U.S. government is working to disrupt the channels through which ransomware actors collect their ransom payments. This became evident in later September when the Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury designated SUEX, a cryptocurrency exchange, for “facilitating financial transactions for ransomware actors.” The Treasury Department noted that more than 40% of SUEX’s transaction history traced back to illicit actors.

The Ransom Disclosure Act falls under this same mission. By documenting ransom payments, the logic goes, the U.S. government can get an idea of how much these attackers are making. It can then use that information to craft an appropriate response.

Forcing victims to disclose ransom payments may be seen as controversial, however, because it focuses on the victims of ransomware attacks, not the perpetrators of them. In the words of Bleeping Computer, “many believe that it would merely result in making ransomware attack repercussions more severe” by shaming victims for having paid.

Such publicity could also help OFAC to punish victims under strict liability for having paid a malicious actor designated on its sanctions program—all without helping victims to defend against RansomOps™ in the first place.

Furthermore, in a research report published by Cybereason earlier this year, titled Ransomware: The True Cost to Business, nearly half of respondents (46%) who succumbed to their attackers’ ransom demands regained access to their data following payment only to find that some if not all their data was corrupted, and 80% of organizations that paid a ransom were hit with a second ransomware attack.

Combating Complex RansomOps

RansomOps, or ransomware operations that use sophisticated techniques such as those employed by Advanced Persistent Threat (APT) groups, have become extremely prevalent in recent months. So too has ransomware in general.

Indeed, Threatpost reported that researchers flagged 304.7 million attempted ransomware attacks in the first half of 2021 - that’s more than the volume for the entire year in 2020, which logged 304.6 million attempted ransomware infections.

It doesn’t look like these attacks will be slowing down anytime soon, either. As reported by MSN, National Security Agency (NSA) Director Paul Nakasone said that the United States will face a major ransomware attack “every single day” over the next five years. Hence why something needs to be done now to stem the tide.

One thing to remember in dealing with the threat that RansomOps pose is that the actual ransomware payload is the tail-end of the attack. While it’s important to have the capability to block the execution of the malicious code before critical files can be encrypted, there was likely weeks or even months of detectable activity on the network occurring.

This activity includes initial ingress, lateral movement on the network, establishing command and control and more - all occurring long before the actual ransomware payload comes into play. The ability to recognize RansomOps early in the attack progression is the key to preventing a successful ransomware attack and relegating the adversary’s activity to a much less disruptive intrusion or data exfiltration attempt.

Defending Against Ransomware Attacks

It’s unclear whether the Ransom Disclosure Act will pass and how it will affect ransom payments if it does. But the mere possibility of it becoming law highlights the need for organizations to focus on ransomware prevention and defense. They can do that by investing in a sophisticated anti-ransomware platform that uses multiple layers of behavior-based detection to defend against attack chains both old and new.

The Cybereason operation-centric approach provides the ability to detect RansomOps attacks earlier and why Cybereason is undefeated in the battle against ransomware with the best prevention, detection and response capabilities on the market.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed