New York passes legislation requiring local governments hit by hackers to now fess up if they've paid a ransom demand to their attackers. A top ransomware negotiator shares insight on the bill, the current threat landscape – and some memorable negotiating moments with Cybernews.
Signed by New York State Governor Kathy Hochul on Friday, S.7672A/A.6769A0 is the first of its kind in the nation to require state and local authorities to disclose ransomware payments, which, as with private sector ransomware victims, is routinely kept close to the chest for myriad reasons.
Aimed at strengthening cybersecurity across state municipalities, the "landmark legislation" mandates that all municipal corporations and public authorities promptly report cybersecurity incidents and ransom payments to the New York State Division of Homeland Security and Emergency Services (DHSES).
The bill covers not only local governments and all connected agencies, such as housing, health, transportation, police, fire, and emergency services, but also airports, school districts, court systems, and gas and electric companies, among others.
According to the law, public entities will have just 72 hours to report a cybersecurity incident to the DHSES, and only 24 hours to disclose if they have paid a ransom demand.
“As global conflicts escalate and cyber threats evolve, so must our response, and we are taking a whole-of-government approach in doing so,” Governor Hochul said in the announcement.
Hochul said the new cybersecurity bill sets a precedent for other states to follow and will help protect both state and local critical infrastructure from cyber threats.
The comments follow recent warnings by US Homeland Security of possible Iranian-linked cyberattacks on US critical infrastructure since America’s June 21st strikes on Iran’s nuclear sites.
24-hour deadline to report a ransom payment
To talk about the nuances of the bill and delve more into the ransomware negotiations process, Cybernews sat down with Mark Lance, Vice President of Digital Forensics and Incident Response (DFIR) & Threat Intelligence at GuidePoint Security.
“Historically, there has been a lot of direction based on the vertical or the area you work in," Lance said, citing SEC requirements for the financial sector. "This is more of a blanket way of providing, first, minimum security and compliance requirements, and second, reporting requirements across everybody.”
Lance says the benefit would be normalizing standards across all verticals and all organizations, pointing out that every state has its own requirements. "I think what they're [New York] trying to do is align with what we're seeing federally."
“Here is the minimal amount of information we want so that we can track this, get in front of it. Here are your core compliance requirements. You've got to be using MFA. You have to have EDR [Endpoint Detection and Response]. Those things that we've been out there screaming about for years. Do the basics.”
The ransomware negotiator says that New York stepping up to establish a baseline is definitely unique for municipalities and that the reporting of ransom transactions is primarily “for tracking and to support law enforcement efforts… but not in the way most people think.”
“The expectation is that law enforcement is going to come in and perform an investigation. A lot of people think it's like on TV, where if a crime happens, you bring in detectives and they do all the research,” Lance explains.
Lance said when it comes to cyber criminal activity and ransomware, instead, what victims should expect, even on the federal level, is that authorities will acknowledge the breach, make recommendations, such as for incident response or outside forensic services, and then provide the victim with “all the most recent and relevant information about this threat actor that you're working with.”
“Then they will ask the victim to share all the information gathered about the attack to support their own law enforcement efforts,” he said.
What's in a ransom payment?
This is where Lance and his team come in – third-party experts hired to handle the next step – communicating and negotiating with the threat actors.
On the disclosure of the ransom payments themselves, Lance says once his team is pulled in for an incident, “they normally work with external legal counsel on behalf of the client to implement privilege over that investigation,” which is why the public (and the press) rarely see that information.
This is so “not everything gets publicly disclosed… whether a payment was made, how much that payment was, and all those types of things,” he said.
“A lot of times, if people are making payments, they don't always want to acknowledge it, and they definitely don't necessarily want to let people know how,” he added.
Lance did say that, while historically no one wants to pay a ransom, businesses have gotten smarter, implemented more robust cyber defenses, and are now often equipped with offline backups to recover any stolen or encrypted data.
Still, the ransomware expert says “there are always special circumstances where that doesn’t apply."
For example, when working with one hospital client under attack, Lance pointed out, “For them to get backups out of cold storage, it was going to be two weeks, and it was costing them $1 million a day to pay the threat actor. Financially, it was actually more effective for them to pay the ransom.”
Attacks continue to devastate the public sector
Even back in 2021, the FBI said that ransomware attacks were straining local US governments and public services.
Fast forward to today, and over the last year, ransomware attacks on the public sector have jumped dramatically. For example, attacks on non-profits doubled from around 50% to 106%. And attacks on public school districts also rose by 16%, according to recent data by Guidepoint Security.
Furthermore, research by Sophos shows 34% of state and local government organizations were hit by ransomware in 2024, with a whopping 98% of the attacks resulting in data encryption.
The average recovery costs from a ransomware attack on a state or local government in 2024 were recorded by Sophos at $2.83 million, also more than double the previous year.
Lance says that since January, his team has been tracking 70 active threat groups, compared to 45 in Q1 2024, and is hired to consult on about ten ransomware cases per month.
"There's been all of this kind of splintering, dissolving, rebranding, a lot more groups. I still think there is that reputational piece to ransomware operations where we see that even for some of these smaller groups, they are still trying to establish themselves and market as a brand," he said.
Those 70 threat actors have carried out a whopping 2,063 ransomware attacks in Q1 2025, with about 60% of them happening inside the US – both historic highs for a single quarter, Guidepoint Security statistics show.
In the past several years, Cybernews has covered dozens of ransomware attacks on state municipalities and public school districts, often targeted for their less than stellar cybersecurity infrastucture due to lack of public funding.
From the City of Dallas, Texas and South Carolina’s Kershaw County School District by the BlackSuit gang to the City of Oakland, California by LockBit and Play, to the Seattle-Tacoma Airport, the City of Columbus, Ohio, and Maryland's Prince George County school system by the Rhysida cartel, these attacks have caused weeks of chaos and downtime costing the entities and tax payers millions.
Tales from the ransomware crypt
Of course, one could not interview a ransomware negotiator without asking about any memorable cases, and Lance did not disappoint.
After discussing Scattered Spider, Black Basta, Conti, and other usual ransomware suspects, Lance brought up a recent negotiations incident with the RansomHub group, a known ransomware-as-a-service (RaaS) operator, and one of its many affiliates.
“You recognize that these cybercriminal organizations have the same kind of inner turmoil as a typical business or a typical organization,” he explained.
Lance said while negotiating with one of RansomHubs’ affiliates, and as they were asking for a ransom payment, the group's infrastructure went down.
“The RaaS operator actually ended up reaching out directly via email channels and asking for a payment. So now you've got both the affiliate and the ransomware operator, both separately… trying to double dip on this client.”
“We're now working on two separate communications, and they’re like fighting in the background. That one ended up being pretty intricate and involved,” Lance said.
He also mentioned an instance where the attackers had provided a broken decryptor, and then just walked away, but his team was able to actually fix it and get it to work.
Lance divulged that "about 40% of the time that we're engaged for communications. They [the client] end up making a payment.”
However, Lance said there is a significant level of variability as to why a victim would potentially make or decide not to make a ransom payment.
He lists factors such as the size of the organization, whether they have access to backups, if the attackers have sensitive unrecoverable information, or even a lack of knowledge about what data the attackers do have.
Surprisingly, Lance says his team will “always advocate for communications with the threat actor, regardless of whether there's any intent on making a ransom.”
It allows you to take certain steps, such as potentially delaying disclosure or getting the hackers to provide hints at what information they do have, he said.
“We've had instances where it's a $2 million ransom demand. They’ll [the client] says, okay, let's start with $250,000. It's the maximum that we're going to offer them.”
"So we go back and we say, hey, I work with my management and they're going to allow us to offer $250,000. Um, that's all that we can afford."
“And they'll paste the insurance information in there and say your insurance provides coverage for up to 2 million.”
Lance said he's had ransomware gangs ask clients for $15 million when they’ve “got nothing” and then other times “it’s like holy crap. They don't realize what they have.”
New York's 72-hour cyber incident reporting rule was already in place covering the New York financial sector, and last October, it was adopted to apply to state hospitals as well, also making New York the first in the nation to do so.
The new legislation further mandates annual cybersecurity awareness training for government employees and sets data protection standards for State-maintained information systems, the Governor's office said.
“Requiring timely incident reporting and providing annual cybersecurity training for government employees will build a stronger digital shield for every community across the State and ensure they get the support they need when it matters most,” Hochul said.
Your email address will not be published. Required fields are markedmarked