Brought to you by:

Reporting of ransomware payments to be mandatory

A new law is to be introduced requiring the reporting of ransomware incidents as the Australian Government makes clear it does not condone conceding to the demands of cyber criminals.

A Ransomware Action Plan, published today, outlines the powers Australia will use to combat ransomware after the nation experienced a 15% rise in  attacks reported to the Australian Cyber Security Centre in the past 12 months.

“The Ransomware Action Plan takes a decisive stance – the Australian Government does not condone ransom payments being made to cybercriminals,” Minister for Home Affairs Karen Andrews said.

The Department of Home Affairs says cyber security incidents cost the Australian economy $29 billion annually, or 1.9% of gross domestic product. The threat is increasing in scale, frequency and sophistication and likely to rise as the number of connected devices grows.

Paying ransoms was no guarantee of access to locked systems or sensitive data, Ms Andrews says, and may open the victim up to repeat attacks.

“Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk. We need to ensure that Australia remains an unattractive target for criminals and a hostile place for them to operate.”

Today’s plan outlines legislative reform aimed at further criminalising ransomware and ensuring law enforcement can track, seize or freeze ransomware crime proceeds to keep Australia a “hard target” for cybercrime gangs.

The reforms include introducing mandatory ransomware incident reporting to the Australian Government, an offence for all forms of cyber extortion, an aggravated offence for cybercriminals seeking to target critical infrastructure, and modernising legislation to ensure that cybercriminals are held to account for their actions, and law enforcement is able to track and seize or freeze their ill-gotten gains.

“Cybercriminals use ransomware to do Australians real and long-lasting harm. In response, the Australian Government is taking concrete action to protect Australians, including working with our international and business partners to combat this global threat,” the plan says.

Today’s outline follows a new bill put forward by Shadow Assistant Minister for Cyber Security Tim Watts making it compulsory that companies intending to pay a ransomware demand inform the Australian Cyber Security Centre.

Labor has been calling for a national ransomware strategy coordinating government action aimed at reducing the volume of attacks. Payment notification is “far from a silver bullet” but is a crucial first step, Mr Watts told parliament.

The Insurance Council of Australia (ICA) has backed the plan.

“The ICA supports the reporting of ransomware payments which allows clearer identification of risk,” a spokeswoman told insuranceNEWS.com.au on Tuesday. “Government policy guidance around ransomware coverage would enable the insurance industry to provide cyber cover aligned with the Government’s broader policy goals in this area.”

Ransomware attacks have affected media firm Nine Entertainment, UnitingCare Queensland hospitals, The Eastern Health hospital network in Victoria, brewer Lion, the NSW Labor party, Toll logistics, Bluescope, PRP Diagnostics, Regis Healthcare, Law In Order, Carnegie Clean Energy, coffee roaster Segafredo Zanetti, Taylors Wine and meat producer JBS Foods, which paid $11 million.

To help enforce the new legislation, the Government has launched a multi-agency operation targeting cyber crime groups, both in Australia and overseas, spearheaded by the Australian Federal Police.

The plan comes a day after a critical report from the Cyber Security Cooperative Research Centre (CSCRC) which said cyber insurers should be banned from making “ransom or extortion” payments and that there were “pitfalls and perils” to cyber insurance as it may make organisations “lax in their approach to managing cyber security.”

The insurance industry hit back, pointing out that clients make decisions on payment of ransoms, not insurers, and having access to insurer-provided experts gives the best possible chance of not having to pay a ransom.

Globally, it is estimated that there is a ransomware attack on a business every 11 seconds, with ransomware damage losses projected to reach US$20 billion ($27.4 billion) this year. The Government launched its 2020 Cyber Security Strategy a year ago, on which it is spending $1.67 billion over 10 years.

See the Ransomware Action Plan here.