Washington, D.C. – In a House Judiciary Committee hearing last week, Congresswoman Deborah Ross (NC-02) discussed the need for her legislation, the Ransom Disclosure Act, with Attorney General Merrick Garland. The bill provides the Department of Homeland Security (DHS) with critical data on ransomware payments in order to bolster our understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat.

Congresswoman Ross asked: “And would it also be helpful if you had reporting on what victims had paid in ransomware in a larger registry? I've introduced legislation. There's companion Senate legislation on this.”

Attorney General Garland responded: “More information we can find out about who's demanding the ransoms, what victims are paying, how they're paying, what kind of wallets they're paying them into, what kind of cyber or crypto wallets they're being asked to pay them into, all of those things help us understand the ecosystem. So the more information we have, the better.”

The full exchange is available here.

The Ransom Disclosure Act will:

  • Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;
  • Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;
  • Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;
  • Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity

Senator Elizabeth Warren (D-MA) introduced the Senate companion legislation.