Fraud Management & Cybercrime
New Criminal Penalties, Assistance to Victims in the Ransomware Action Plan
Australia plans to require larger businesses to report ransomware attacks to the government, part of a comprehensive strategy that also includes new criminal penalties and assistance to victims.
See Also: Marching Orders: Understanding and Meeting the Biden Administration’s New Cybersecurity Standards
The government released its 16-page Ransomware Action Plan as Australian businesses, school districts, hospitals and other organizations continue to be hammered by ransomware. But some components of the plan would need to be passed by Parliament, which has only four sitting weeks left this year. Also, a federal election must be held by next May, which could delay passage.
Labor member of Parliament Tim Watts has been calling for a national ransomware strategy since February. In a joint statement with Labor Sen. Kristina Keneally, Watts says it’s good the government has acted but it should have occurred sooner (see Australia Considers Mandating Ransom Payment Reporting).
The government has “failed to act for months despite an onslaught of attacks against Australian organizations this year including multiple health and hospital networks, the Nine network, and JBS Meats, our biggest meat supplier,” Watts says.
Dozens of Australian organizations have been hit by ransomware, and some victims are known primarily because attackers frequently dump stolen data publicly to increase pressure. The problems caused by ransomware have also forced some businesses to make public statements about the disruption.
But like elsewhere in the world, the full scope of the problem in Australia is unknown due to a lack of data. Australia’s plan requires organizations with more than AU$10 million in annual revenue (US$7.3 million) to report an incident.
The reporting requirement is intended to help the government “better support” victims of ransomware and understand the threat, according to a news release from Home Affairs Minister Karen Andrews.
The ransomware plan also emphasizes that the government does not condone paying a ransom.
“Paying ransoms is critical to the ransomware perpetrators’ business model and will make Australia a more attractive target for criminals,” it says. “Paying a ransom does not guarantee a successful outcome – encrypted systems may not be restored, sensitive data may be released or sold to other perpetrators and victims may be targeted multiple times.”
Banning ransomware payments has been suggested. But critics of the idea say organizations may have no other option than to pay or go out of business. It also means that victims could be potentially punished twice: once by cybercriminals, and then again by prosecutors.
Australia’s moves come as White House National Security Council launched a two-day meeting on Wednesday with more than 30 countries to develop ways to better fight ransomware. Neither Russia, widely believed to have ransomware gangs within its borders, nor China, were invited.
The goal of the meeting includes fostering closer law enforcement ties, addressing the role of cryptocurrency in ransomware payments and improving diplomatic efforts (see US Convenes Global Ransomware Summit Without Russia).
New Criminal Penalties
One arm of the Ransomware Action Plan includes a proposal for stricter criminal penalties for executing ransomware attacks. The government also wishes to introduce a stand-alone criminal offense for cyber extortion.
The plan also calls for developing aggravated offenses for attacks against Australia’s critical infrastructure. The measure would be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The actionplan mentions the attack against Colonial Pipeline Co. in the U.S. in May, which caused the company to shut down its petroleum pipeline as a safety precaution following a ransomware attack (see Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
Another prong of the plan would ensure that Australian law enforcement can “track, seize or freeze ransomware gang’s proceeds of crime.” The use of cryptocurrencies such as Bitcoin and Monero have fueled the success of ransomware schemes.
While those cryptocurrencies can be difficult to trace, it is not impossible, and private companies such as Chainalysis have aided U.S. government agencies such as the IRS in investigations. Also, close monitoring of cryptocurrency exchanges, where the virtual currency can be turned in cash, also pose opportunities for investigators.
Law enforcement will also dedicate specific attention on ransomware. A multi-agency task force called Operation Orca will be created and run by the Australian Federal Police.
And Australia’s spies will get a piece of the action. The government intends to use the Australian Signal Directorate’s (ASD) “offshore offensive cyber capabilities to disrupt foreign cybercriminals targeting Australian households and businesses.”
The ASD is the equivalent to the U.S. National Security Agency. The government has allowed the ASD before to run offensive cyber operations, which has included disrupting terrorism-related activity and overseas cybercriminal groups (see Combating Ransomware: Lawmaker Wants Spies ‘Hacking Back’).
Another part of the action plan is helping Australian organizations better defend themselves against ransomware.
That has already been under way. The Australian Cyber Security Centre (ACSC) has produced the Ransomware Attacks – Prevention and Protection Guide and the Emergency Response Guide. In December, the ACSC also launched a campaign called Act Now, Stay Secure, which provides advice for dealing with ransomware.
“Strengthened response mechanisms for ransomware victims will help protect Australia and reduce the incentive to pay ransoms,” the report says.