The government has announced a new ransomware action plan, which it says will protect businesses, individuals and critical infrastructure from this increasingly prevalent threat.
The Australian Government Ransomware Action Plan will include new criminal offences, tougher penalties and a mandatory reporting regime for businesses with a turnover of over $10 million.
“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” said Karen Andrews, Minister for Home Affairs.
“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.”
According to the Australian Cyber Security Centre’s recently-released Annual Threat Report 2020-21, ransomware attacks continue to be a significant threat to Australian businesses, and in fact a shift in tactics means this threat is only intensifying. At the same time, a new survey from the Australian Institute of Criminology, of around 15,000 Australian computer users, found that SME owners were twice as likely as other respondents to have been the victim of ransomware attacks in the past year and were more likely to have paid the ransom.
Ransomware attacks can be a ‘double whammy’ for businesses, because not only do attacks lock up their important files, but the cybercriminals often sell on the company’s private data on the dark web – even if the ransom is paid.
Measures under the action plan
- Introducing a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cybercriminals who use ransomware face increased maximum penalties.
- Introducing a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure.
- Criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence.
- Criminalising the buying or selling of malware for the purposes of undertaking computer crimes.
- Modernising legislation to ensure that cybercriminals won’t be able to realise and benefit from their ill-gotten gains.
“Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances,” said Minister Andrews.
Reporting a benefit to businesses
Meanwhile, part of the plan will involve the government developing a mandatory ransomware incident reporting regime, likely for businesses with a turnover of over $10 million.
The government says this measure is not meant to be a burden to small businesses, but a benefit. It is designed to help the government's understanding of the threat and better support those who have been victims of such an attack.
The government will now consult further with the community, industry and interested stakeholders on the mandatory reporting regime as well as the new criminal offences.
For businesses, it’s also worth noting the plan makes it clear the government does not condone ransom payments to cybercriminals. There is no guarantee hackers will restore information, stop their attacks, and not leak or sell stolen data, the report says.
The report also recommends stronger responses to reduce the incentive to pay ransoms.
"Strengthened response mechanisms for ransomware victims will help protect Australia and reduce the incentive to pay ransoms. Ransomware perpetrators should not be rewarded for their actions. Effective response initiatives must adopt a nationally consistent approach which provides incentives to victims to consider alternatives before paying ransoms," the report says.
Key insights to remember:
- Cybercriminals can not be trusted. There is no guarantee paying a ransom will ‘fix’ the situation.
- Cybercriminals can access financial records and gain ‘inside’ information about your business's financial health or capacity to pay the ransom so stating your inability to pay may do you further harm.
- Paying a ransom can lead to more attacks in the future – if you pay once, you’re likely to pay again.
If your business is faced with a ransomware attack the report recommends you visit cyber.gov.au for advice.