F-Secure Comment on Ransom Payment Legislation
October 2021 by Callum Roman, Head of Threat Intelligence at F-Secure
Following the news that Sen. Elizabeth Warren and Rep. Deborah Ross have introduced legislation to require the disclosure of ransom payments to help the government better analyze and prevent them, please see below for comment from Callum Roman, Head of Threat Intelligence at F-Secure:
Governments know Ransomware is a problem, but just how much of a problem is unclear. Compulsory reporting of ransomware payments could help shed light on the true scale of the problem and not just the tip of the iceberg we see reported in the media.
The legislation may run in to issues on reporting based on how and where organizations decide to pay the ransom. If they organise payment through an intermediary, will they have to report? If they pay the ransom from a company in their portfolio that is not under US jurisdiction (aka abroad), will they have to declare?
There will always be ways round this type of legislation, but if constructed well it can have a positive impact on informing government of the real scope of the issue.
The most interesting aspect of the suggested legislation is the directive to the DHS to investigate the cryptocurrency facilitation of ransomware. This may spark further legislation and focus on this medium by the US government. It certainly will help arm it with the information it needs to decide if this is an effective avenue for combatting ransomware.