New Senate bill aims to put the boot to botnets
A group of senators have crafted a bill that would give the government greater powers to prosecute and punish those who operate and rent out botnets.
Sens. Lindsey Graham, R-S.C., Richard Blumenthal, D-Conn., and Sheldon Whitehouse, D-R.I., earlier this week introduced the Botnet Prevention Act, which would expand the Justice Department’s civil injunction authority to tear down botnets, issue new criminal offenses for renting out to botnets and raise the penalties for cyberattacks on critical infrastructure.
Botnets are networks of infected computers, owned and operated by innocent and often completely unaware third parties, which cybercrime gangs control through malware. Botnets are used for DDoS attacks and spamming, and are often rented or sold to the highest bidder by so-called ‘bot-herders.’
Graham and Whitehouse rallied support for the bill Wednesday during a sparsely-attended Senate Judiciary Committee hearing that explored ransomware.
The provisions in the new bill go beyond what is currently allowed by the Computer Fraud and Abuse Act, which only allows the Justice Department to issue civil injunctions if a botnet is used for certain types of crime. The 30-year-old law also doesn’t have any language about penalties related to selling or renting access to botnet networks.
Botnets are often a key part in the spread of ransomware, used by criminals to distribute the malware to as wide of a network as possible. Infected computers have their files, folders and drives encrypted, and the owners have to pay a ransom to get the key. According to the FBI, criminals received $209 million in ransomware payments in the first three months of 2016.
[Read more: Ransomware attacks quadrupled in Q1 2016]
Those figures back up other research that points to a sharp rise in ransomware in 2016. Kevin Haley, the director of product management at Symantec Security Response, told FedScoop last month his group has seen an average of over 4,000 ransomware attacks per day since Jan. 1, a 300-percent increase over 2015.
While ransomware has mainly been used in attacks on individuals, hospitals, police departments and even federal agencies have been dealing with the malware as well. The Homeland Security Department told the Senate Homeland Security Committee in March that there had been 321 ransomware incidents reported by 29 different agencies since June 2015, with many attacks stopped by agencies’ security centers.
[Read more: DHS: Einstein working to stop ransomware attacks]
Security professionals and white hat hackers have recently made headway in breaking the encryption that ransomware relies upon. Kaspersky Lab has been on a months-long cat-and-mouse chase with the developers of CryptXXX, releasing decryption tools after multiple iterations of the malware have been pushed out in recent weeks. Additionally, the developers of TeslaCrypt gave up the ghost Thursday, posting their master key and an apology on their Tor website.
Whitehouse said during the hearing that without his bill, business could suffer up to $1 billion in losses this year. Testifying, Justice Department official Richard Downing said that figure is on the low end of law enforcement’s measurements.
“If we don’t do something to address the deterrence we’d like to get, $1 billion seems like a low estimate,” he said.
You can read the full text of the bill on congress.gov.