A bipartisan-sponsored bill was introduced in the New York State Senate earlier this year that would ban payments to ransomware hackers using taxpayer funds. Given that many of the (known) targets of ransom demands have been public institutions, this could effectively draw a line in the sand against paying off cybercriminals to unlock infected files in NY. The bill also contains provisions for establishing a cybersecurity improvement fund for smaller municipalities in the state.
NY State Senate Bill S7246 – Cybersecurity Revisions
The underlying theme of the proposed legislation (Senate Bill S7246) is to take charge of and completely revamp the state’s response to ransomware. This will be achieved twofold by explicitly forbidding the use of taxpayer monies to pay ransoms after January 1, 2022, and by incentivizing investing in network security controls. “A small investment in local government cyber security now, can help stop cyber-criminals from profiting on the backs of New York State taxpayers…” as stated in the bill.
Under the current terms of the proposal, this “cyber security enhancement fund” will amount to $5 million and be available to local governments through “grants and other forms of financial assistance.” While the fund will be managed by the state comptroller, the NY Division of Homeland Security and Emergency Services (DHSES) will be in charge of creating and overseeing the state cybersecurity training program.
Ransomware Targeting Local Governments and Schools
Many government agencies, school districts and other public institutions have been victimized by malware in recent years, with disruptive and expensive consequences even in many cases where ransom was paid. Network downtime brings all municipal activities to a grinding halt, preventing access to records and critical government functions. Data restoration is often the biggest expense for cities and towns that must ensure citizen information is up to date and accurate.
While several mayors and municipal leaders across the country have taken a stand against paying hackers their ransoms, there have been quite a few public executives that have simply complied. It is easy to see why, with the payment demands often seeming much less than the costs of doing nothing. As even many promising miracle technology solutions for removing ransomware have been caught sending payments as well, for some there appears to be no easier response than giving in.
Paying Off Hacker Ransoms
The question whether to pay off ransomware hackers is not limited to the public sector, as studies have shown that most executives of infected businesses often opt to pay the ransom. Yet the spread of the malware over the years, by the same culprits, reinforces the warnings made by the FBI and cybersecurity experts – the payments have only emboldened cybercriminals.
Time will tell whether Bill S7246 is a step in the right direction, but the idea behind the legislation certainly rings true. Unfortunately, there have been no proven consistent methods for breaking ransomware encryption, but paying the ransom in no way guarantees data retrieval – even if hackers act in good faith and return access, damage done by file locking can compromise information anyway. Only cybersecurity training and secure data backups have been able to mitigate the harm caused by malware.
Learn How to Fight Back Against Ransomware
Research shows that ransomware is picking up in 2020, and propelled by the success and profit of previous years, cybercriminals will deploy new and refined techniques for breaching your network. Learn how to protect your business against file encryption by securing your data against all forms of malware.
Download our free Ransomware Report to discover the trends for yourself and find out how to defend your data.