Published on the 06/08/2024 | Written by Heather Wright
Threat of fines for failure to disclose could be on cards…
The Australian government is hoping to push the burgeoning area of ransomware payments into the light with laws to force companies to disclose all ransom payments – and face fines for failing to do so.
If it becomes law, the Cyber Security Act, which is expected to be brought before parliament in its next sitting, would require businesses with an annual turnover of more than AU$3 million to disclose any ransom payments. If they don’t, they could face fines of $15,000 or more.
“Billions of dollars in ransoms is being paid and criminal gangs are reinvesting that money.”
The scheme will be a ‘no-fault scheme’ with the promise that the information won’t be passed along to regulators to use in prosecutions. It doesn’t, however rule out regulators gathering the information from elsewhere for prosecutions.
The move is likely a forerunner to further action to stamp out ransom payments.
Clare O’Neil, who was Minister for Home Affairs and cybersecurity minister until last month’s cabinet reshuffle, has previously touted the implementation of a complete ban on ransom payments.
Last November she said consultation on Australia’s cyber security strategy had provided a clear message to government that ‘people understand we are ultimately going to need to ban ransom payments in this country, but we haven’t done the hard work to prepare the country to manage the impacts of that’.
The starting point, O’Neil said, was to build a clear picture of the issue first, in order to be ‘in a position to consider the next step of making ransomware payments illegal’.
She recently told ABC that people were paying criminals money ‘in the darkness’ and behind closed doors.
“It is believed that in the Five Eyes countries alone [Australia, New Zealand, Canada, the United Kingdom and the United States] literally billions of dollars in ransoms is being paid and criminal gangs are reinvesting that money… to attack us again,” she says.
The Australian Cyber Security Centre’s (ACSC) 2022-23 Annual Cyber Threat Report noted ransomware attacks were up nearly 500 percent since the start of the Covid pandemic.
Australian telcos, healthcare and financial companies have all been the target for major ransomware attacks, with high profile attacks including Optus, Medibank, MediSecure and Latitude Financial and law firm HWL Ebsworth.
A 2022 Small Business Association of Australia report, said roughly a third of Australian businesses hit with a ransomware attack chose to pay, with an average amount of roughly $1.25 million, according to Crowdstrike figures.
More recent research from Cohesity, a data security and management vendor, claims 60 percent of the more than 500 Australian IT and security decision-makers said their company would be willing to pay more than US$1 million in ransoms to recover data and restore business processes.
Most respondents said they had suffered a ransomware attack in the past six months and of those, most, said they paid the ransom.
Paying the ransom, however, is no guarantee of success. Change Healthcare, a US healthcare technology company, reportedly paid hacker organisation BlackCat – also known as ALPHV – US$22 million in Bitcoin following an attack in February.
At a hearing before US Congress in May, UnitedHealth Group CEO Andrew Witty admitted that Change Healthcare didn’t get its data back. Sensitive data was leaked with others reportedly extorting the company for even more money.
Some industry groups in Australia have called for the turnover threshold for the ransomware payment disclosures to be higher.
The Australian Chamber of Commerce and Industry, which says ransomware attacks are the biggest cyberthreat facing Australian businesses and government, has called for the figure to be AU$10 million.
In its response to the 2023-2030 Australian Cyber Security Strategy Discussion Paper, it said its members ‘are inclined to support a prohibition on the payment of ransoms’ though noting it was difficult to provide relevant recommendations without the government clarifying its position, and that there are a range of practical issues that warrant further consideration.
Included in the Cyber Security Act is a ‘limited use provision’ preventing that Australian Signals Directorate and the ACSC from sharing information more widely, ‘except in narrow circumstances’.
““We are not blaming businesses when they are subjected to a crime. They are victims of a crime,” O’Neil told ABC.
“What we need here is for business to be able to trust and be transparent with specific parts of government when they are under cyberattack.”