The Bill Banning Payment of Ransoms
Bill S7289, introduced by Senator Carlucci, prohibits municipal corporations and other government entities from paying ransoms resulting from cyberattacks. Ransomware attacks use malware programs that make systems unusable. Hackers then demand payment, usually in the form of cryptocurrency, in exchange for restoring the systems. The bill defines a cyberattack as a “virtual attack against the critical infrastructure, as defined in subdivision five of section eighty-six of the public officers law, of a municipal corporation or other government entity.”
Aim of the Bill
The aim of the bill is to stop the increased use of ransomware by cybercriminals against government bodies. Senator Carlucci, along with the FBI, feels that paying ransoms only encourages cybercriminals to conduct further attacks. Consequently, he hopes that if legislation is in place which bans the payment of ransoms, then ransomware attacks will stop. “This legislation will make it clear that those looking to do harm, looking to make money by instituting ransomware attacks, that they won’t be profitable because it will be illegal for municipalities to pay a ransom,” Carlucci said in a statement aired on WSYR-TV. Senator Carlucci’s bill is a new bill and it is currently in committee. Carlucci is waiting from more law makers to sign on to it.
Motivation for Bill to Make Paying Ransoms Illegal
The bill was introduced following a resolution that came out of the annual US Conference of Mayors. The conference was held in June 2019 and represented 1,407 cities, each with populations over 30,000. The conference’s resolution stated that mayors were “united against paying ransoms in the event of an IT security breach”. Over 225 mayors across the US backed the resolution, which was titled “Opposing Payment to Ransomware Attack Perpetrators”. The resolution was prompted by events in 2019 that saw 24 US cities hit by ransomware attacks. Lake City, Florida, made payment of 43 bitcoins to regain access to its phone and email systems. Also attacked in 2019 was the City of New Orleans, which was hit by a Ryuk ransomware attack. Another high-profile 2019 attack was conducted against the City of Baltimore. The ransomware attack, which shut down essential city systems, was conducted via a phishing email. The cybercriminals responsible demanded 13 bitcoins from the city, which at the time equated to around US $76,280. The City of Baltimore, however, refused to pay the ransom on advice from the FBI. In the end, the attack cost the city at least $18 million.