Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Security United States IT Technology

Ransomware Bill Would Give Victims 48 Hours To Report Payments (bloomberg.com) 89

Victims of ransomware attacks would be required to report payments to their hackers within 48 hours under a proposal from Democratic Senator Elizabeth Warren and Democratic Representative Deborah Ross. From a report: The Ransom Disclosure Act would give the Department of Homeland Security data on ransomware payments, including the amount of money demanded and paid, and the type of currency used. The lawmakers say this is essential to bolster the U.S. government's understanding of how hackers operate and the extent of the ransomware threat. "Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals," Warren said in a statement on Tuesday.
This discussion has been archived. No new comments can be posted.

Ransomware Bill Would Give Victims 48 Hours To Report Payments

Comments Filter:
  • by crow ( 16139 ) on Tuesday October 05, 2021 @01:59PM (#61863963) Homepage Journal

    How about making it illegal to pay ransom? Whatever happened to "we do not negotiate with terrorists?" Include jail time for any employee that authorizes ransom payment on behalf of a company, and it would stop.

    • by phantomfive ( 622387 ) on Tuesday October 05, 2021 @02:08PM (#61863993) Journal

      Some companies would go out of business if they didn't pay ransomware. That's not something Elizabeth Warren wants.
      Forcing them to report is a way to make it more uncomfortable without them going out of business.

      Whatever happened to "we do not negotiate with terrorists?"

      That strategy was gone before Bush left office.

      • Re: (Score:3, Insightful)

        by mark-t ( 151149 )
        If they don't have strategies for mitigating the data loss without paying the ransom, the companies deserve to go out of business.
        • by Linux Torvalds ( 647197 ) on Tuesday October 05, 2021 @02:15PM (#61864037)

          Difficulty: The company distributes oil to the entire Eastern seaboard, manages critical healthcare facilities, or does something else that will incapacitate entire economic sectors if they "go out of business."

          At some point a military response to ransomware operations becomes entirely appropriate.

          • by mark-t ( 151149 )
            Irrelevant. You either have a strategy for dealing with it, or you don't deserve to be operating. If lives are dependent on your operation and you don't really have a clue how to do so in a safe and reliable manner, then it really sucks to be one of the lives that is dependent on. It's no different than if a subway operator didn't know how to slow down the train.
            • by tlhIngan ( 30335 )

              Irrelevant. You either have a strategy for dealing with it, or you don't deserve to be operating. If lives are dependent on your operation and you don't really have a clue how to do so in a safe and reliable manner, then it really sucks to be one of the lives that is dependent on. It's no different than if a subway operator didn't know how to slow down the train.

              Everything has a cost. If you're prepared for this, it costs you money, so you charge more. But your competitor doesn't have a plan and your custom

              • by mark-t ( 151149 )
                If keeping backups makes your business unprofitable, then your margins are too tight in the first place.
          • by mspohr ( 589790 )

            "At some point a military response to ransomware operations becomes entirely appropriate."

            So you want to invade Russia and China?
            (Please look up "Afghanistan" to see how well that works out.)

            • by schwit1 ( 797399 )

              Both those countries have already invaded the US. China with Fentanyl and Russia with ransomware.

              BTW, the military response doesn't have to be kinetic

            • (Please look up "Afghanistan" to see how well that works out.)

              Sorry wrong, Afghanistan is a minor player the poses no real risk to the USA, you would need to lookup "nuclear armageddon" to really see how that works out.

          • by AmiMoJo ( 196126 )

            What kind of military response do you imagine being possible? Say they are based in Russia, how exactly do you plan to retaliate?

            Or how about being based in eastern Europe, or China, or North Korea? Seems like a military strike on any of those areas would be disproportionate and lead to much worse things than ransomware.

        • I agree with you.
          I would also add that any company that gets hacked with an SQL injection exploit deserves to go out of business. Those can and should be avoided perfectly.

        • We'll let the thousands of employees employed at one of these companies know you said that. I'm sure it will ease their burden as they are all desperately trying to find new jobs and scrape enough money together to pay for their rent and groceries for the month. Flippant remarks like that are pretty ridiculous and useless. You have to know that.
        • It's not a matter of "deserving" to go out of business or not. These companies will go out of business. Anyone who pays gets hit up a second time, and if they're still there after that, a third time. Recovering from a ransomware attack is the same if you pay or don't pay. Any information you think you got back is untrustworthy, any system that works again doubly so. You're starting fresh either way or you're just waiting to be held up again.

          Paying a ransom should be a criminal offense with mandatory jail ti

      • That strategy was gone before Bush left office.

        You misspelled "Reagan."

      • Some companies would go out of business if they didn't pay ransomware. That's not something Elizabeth Warren wants.
        Forcing them to report is a way to make it more uncomfortable without them going out of business.

        So??? And some people might die if you don't give the plane hijackers everything they ask for. Better a few businesses go out of business or a few people die than for this to be an ongoing threat month after month and year after year.

        A more valid argument for paying ransomware on the other hand might be that if you don't pay the ransomware then these bugs are not exposed by black hats and therefore these bugs actually still exist and could be used by even more unsavory characters like other foreign powers

      • "we don't negotiate with terrorists" doesn't work as well in the private sector, especially when you have competitors that aren't going to wait for you to recover from a ransomware attack before they eat you alive in the free market.

        If someone's got you by the proverbial balls and the only way out is to pay up, then you may have no choice between that and going out of business.

        The only real viable solution is a good defense with proper backups that protects you from getting hijacked by ransomware in the

      • by jaa101 ( 627731 )

        Some of the very first deals the US did with foreign governments were to negotiate protection money payments so that the Barbary states wouldn’t kidnap its citizens for ransom or to sell them into slavery. These payments made up a large proportion of the federal budget.

      • Some companies would go out of business if they didn't pay ransomware.

        There wouldn't be a ransomware attack in the first place!

    • Zero tolerance = Zero brain. That's the Dumbericunt cowboy mentality at work.
    • How about making it illegal to pay ransom? Whatever happened to "we do not negotiate with terrorists?".

      You do know that this was Ronald Reagan's motto, right? And that not only did his administration negotiate with terrorists, the negotiations was to arrange arms deals for them.

      The unspoken version of the motto was "we keep it secret that we negotiate with terrorists".

      Which is what would happen in your proposal: the people who pay random would keep it secret.

      • I think Warren should have proposed the "Liam Neeson" law... where if you try to ransom a company... the company pays the ransom to the US government... and the government uses the funds to hire people... people with a very special skill set. /s

    • by NFN_NLN ( 633283 ) on Tuesday October 05, 2021 @02:13PM (#61864029)

      Why not just create a ransomware passport. Every month that you don't pay a ransomware you get an updated valid passport.
      Anyone without a valid ransomware passport can't travel by air, eat at restaurants, attends venues, etc.
      We can use these passports to control people's behavior... pretty much like they were intended.

    • by mark-t ( 151149 )

      To be fair, the only thing that it would actually completely stop if it were illegal is people reporting it. Jaywalking is illegal too, but people still do it. So is speeding. A law against it, however, would still mitigate some people who might have otherwise been willing to pay the ransom, and with fewer people willing to pay, it follows that the incentives to keep trying to perpetuate this malware would also start to diminish.

    • Never say NO to a hostage taker – it’s in the manual!

      “Never use no, don’t, won’t or can’t” in a negotiation as it “eliminates options”.

      • Yeah, that was a great movie. Sam L. Jackson at his finest. Here is another great movie: Ransom with Mel Gibson and Gary Sinise. Sinise kidnaps Gibson's son and asks for a ransom. After a bungled payment attempt involving the FBI, Gibson gets fed up, goes on television and offers a Ransom on the kidnapper. Brilliant move. Now if we can mobilize every hacker to do this when a school or local municipality gets hit with ransomware, then it might make the criminals rethink their lives.
      • Never say NO to a hostage taker – it’s in the manual!

        “Never use no, don’t, won’t or can’t” in a negotiation as it “eliminates options”.

        Hmm, so are you saying this to the ransomware distributors, the victims, or congress, who's holding the victim accountable?

        On the latter, look at Warren showing us we CAN learn things from TEXAS

    • I was a victim from it. I didn't pay and lost some personal files but I am surprised you think I should have been jailed if I had.

    • Making it illegal to pay the ransom just encourages the company to pay quietly and then lie on their financial statements too. It's not really any different than a ransom of a loved one where they say "come up with the money, who cares how, or your loved one gets fed to the sharks!" The ransomers don't really care if you break the law to pay them. At best I think we could make it so companies can't write off the ransom on their taxes.

    • Use regulators to shut the victims down for having lax cybersecurity.

      The attackers are already taking advantage of a hole that shouldn't exist, so I'd much rather the government flunk them on an electronic health inspection.

    • How about making it illegal to pay ransom? Whatever happened to "we do not negotiate with terrorists?"

      "We do not negotiate with terrorists" only works when you can afford the penalty. For instance, a government can afford to let a bunch of hostages killed, it sucks, but it signals they're serious about not paying and therefore discourages further hostage scenarios.

      Not only would a lot of companies would go out of business if they didn't pay the ransomware, but they're really only going to be attacked once. This means there's no way for an individual organization to signal it won't pay and thus discourage ra

    • by mspohr ( 589790 )

      We have always negotiated with terrorists (regardless of what the politicians have said).

  • Thanks Elizabeth.
  • Extent? Yes. How? Don't you see that barn with the door wide open?

  • Wouldn't that just encourage ransomware makers to encrypt half of the victim's data with a different key? "If we find out you reported it the first payment, we won't decrypt the other half at any price?"
    • by mark-t ( 151149 )
      Your case makes an excellent point for why the ransoms should not be paid in the first place.
    • That or they start doing it for shits and giggles.

    • by crow ( 16139 )

      Why would they care if it's reported? They're assuming that between using Bitcoin and being located in Russia makes them safe from any prosecution.

    • by PPH ( 736903 )

      If we find out

      Odds are that DHS will keep quiet about who reported what. Until everything is decrypted and they get an opportunity to do some intelligence collection on the hacking group.

  • by ctilsie242 ( 4841247 ) on Tuesday October 05, 2021 @02:22PM (#61864073)

    This is so easy to get around:

    1: Hire a ransomware consultant who is offshore.
    2: Pay them the ransom + a "tip" as a "consulting fee".
    3: Ransomware gang delivers decryption key to the consulting company.
    4: Consulting company says they "broke the ransomware code", and provide a decryptor

    ???

    6: Profit for the consulting company, the ransomware org, and the corporation who will just charge it off as a cost of doing business. Since no official ransomware payments are done, just paying a consultant company, there is nothing to report, and if there ever was proof, the company hiring the consulting company would have enough plausible deniability to get off the Fed's hook.

    • That's not how it works...

      Similarly to anti-corruption laws, companies are prohibited to bribe, in the US or overseas. Some companies got creative and hired consulting firms just like you suggested, to pay the bribe. Guess what? The guys that were responsible for hiring the consulting firm got put in jail. The prohibited act is effective to both direct and indirect attempts. Hiring someone else to do the dirty work doesn't excuse the offender. Similarly to how you hire an assassin to kill someone and you
  • Let me guess. Congress wants to track ransomware payments so they can tax them!
  • If we gonna make laws to fight ransomware, why 48hrs AFTER? Why not mandate corporates to report BEFORE paying so that FBI can help tracking the payment? She's making the 48hrs suggestion as if it will change anything. The money would have already been wired and the victim is still left with their dicks in their hands. So what if the hacker gave the decryption key after receiving payment? The victims still have to spend countless hours to decrypt their data and get their shit together. For some companies it
  • Way to go Elizabeth Warren and the rest of the socialists! We need new laws governing ransomware, so why not pass some that force the victims of the crime to do stuff for the government. They're easy to catch and punish if they don't comply, unlike the ransomware purveyors. And it looks like the government is doing something.

  • Comment removed based on user account deletion
  • Microsoft windows strikes again !

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...