Ransomware attacks have been making headlines this year following a spate of high profile attacks on critical infrastructure globally. Operations as diverse as Ireland’s healthcare system, a major US oil pipeline and meat supplier JBS have all been targeted and impacted by ransomware. Australia is not immune from these attacks either, with the NSW Labor party suffering a high-profile ransomware attack in May.
But what is ransomware, and why is it suddenly so prevalent? This article examines recent trends in ransomware, explores various ransomware models, considers the legality (and ethicality) of paying a ransom and details some strategies companies can use to help protect themselves from ransomware attacks.
What is Ransomware?
The Australian Cyber Security Centre (ACSC) defines ransomware as a type of malicious software (malware) that, once inside your device, makes your files or device itself unusable by locking or encrypting them. Once the files or device are locked or encrypted, a ransom is demanded to ‘unlock’ / decrypt them. The amount varies depending on the value of the files / device that are locked or encrypted, but ransomware demands typically require payment in a cryptocurrency. Ransomware is often designed to spread across a network and target database and file servers so it can spread quickly and paralyse an entire organisation.
Ransomware can affect both individuals and organisations, and has the potential to cause severe damage. It can also damage reputations and be very costly to fix.
Is Ransomware really that big a deal?
In 2020, ransomware attacks represented 41% of all cyber insurance claims filed with Coalition, a major US insurance provider. Coalition found that the average ransom demanded increased in value by 100% from 2019 to Q1 2020, and another 47% (to an average of USD $338,669) from Q1 to Q2 2020. Aon similarly reported that cyber insurance premiums were up 27% from the start of April to mid-May 2021 compared to last year’s levels.
The federal government has taken note, and is considering the introduction of a mandatory ransomware notification scheme (which is expected to be similar to the notifiable data breach scheme already in effect under the Privacy Act 1988 (Cth)), together with the potential introduction of personal liability for company directors in the event of a cyber-attack (see further below). Labor has also made movements in this regard, with Assistant Shadow Minister for Communications Tim Watts MP introducing the Ransomware Payments Bill 2021 (the Bill) to the lower house on 21 June 2021. The Bill is very brief and seeks to create a requirement on entities who make ransomware payments to report details of such payments to the ACSC – see below for more details.
While a company’s bottom line and insurance premium will likely take a hit after a ransomware attack, there is some evidence to show that data breaches often have a limited effect on a company’s stock price. One academic study found that, in respect of the majority of cyber incidents publicly disclosed by listed US companies, the disclosing company’s stock only dropped by 1.3% in the first 3 days post disclosure when compared to their peers, and after 2 weeks their stock had recovered. However, these findings reflect an average assessment only. As always, there will be outliers whose situation makes them particularly vulnerable to negative publicity surrounding a data breach. With the increase in scope and frequency of ransomware attacks, long term damage to a company’s reputation, as well as its share price, is an increasing possibility that companies are becoming acutely aware of.
Ransomware attacks are no longer the preserve of disaffected individuals, with many attackers adopting structures and business models similar to legitimate small businesses. Some of the new models being adopted by these attackers are truly innovative. For example:
The Ransomware-as-a-Service business model is very similar to the Software-as-a-Service (SaaS) model. Individuals or groups (Operators) create ransomware software. They then recruit hackers (or Affiliates) who have access to systems that the Operator considers good targets for ransomware. The Operators of these RaaS businesses in many cases run them like a legitimate small business, offering support hotlines and websites for publicising attacks. This system is advantageous to both parties – the Affiliates gain an easy way to monetise their hacks without being required to develop code for their own malicious software, and the Operators earn relatively easy money by providing the ransomware without needing to penetrate the target systems themselves.
Ransom and Digital Extortion (RaDE)
RaDE is the logical progression of the RaaS model. Affiliates who extract sensitive information from the target system before deploying the ransomware can increase the ransom demand by extorting the targeted company with threats of releasing the sensitive information. This can be especially problematic in light of mandatory data breach notification obligations. The existence of the RaDE model may lead to the presumption that sensitive information has been compromised when a ransomware attack is launched.
Is paying a ransom legal?
Australia does not currently have any laws that explicitly prohibit the payment of ransomware demands. However, there are some laws and proposed regulatory frameworks that companies considering paying a ransom should consider, including the following:
Criminal Code Act 1995 (Cth) (CCA)
Division 400 of the CCA deals with money laundering, and is the most likely offence to apply to a company planning to pay a ransom (other than any sector specific laws). Under these provisions a person commits a criminal offence if they:
- deal with money or property;
- where there is a risk that the dealing will become an instrument of crime; and
- they are reckless or negligent as to whether the money will be used as an instrument of crime.
Any hacker demanding a ransom as part of a ransomware attack will have committed one or more criminal offences. While it is possible that a hacker who asks for a ransom will use the proceeds of their crime in an entirely non-criminal fashion, it is at least possible that hackers will continue to carry out ransomware attacks, using at least some of the money received as ransom to fund equipment and services to be used in future attacks. While in many cases companies paying a ransom will have no explicit knowledge of what the ransom money will be used for, if an organised gang of hackers claims responsibility for an attack there is a clear risk that the ransom funds will become an ‘instrument of crime’ to facilitate the carrying out of future offences.
A possible defence to this offence is that of duress. The defence of duress would require the ransom payer to believe that:
- the hacker’s threat will be carried out unless an offence is committed;
- there is no reasonable way the threat can be rendered ineffective; and
- the payment of the ransom is a reasonable response to the threat.
In the case of an attack where the only threat is the loss of the victim’s data (with no threat of sensitive confidential information being released), and there is the possibility of restoring the system from a backup (even where onerous or expensive), it is hard to see how the second limb of this test could be met. Even if the victim was also threatened with the release of sensitive information which would adversely impact their business, they are in a vastly different position to, for example, that of a person paying a ransom to save the life of a kidnapped family member. This may make the ‘reasonable response’ limb of the defence hard to meet, especially as there is currently no mechanism for seeking prior approval of a ransom payment before it is made.
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML CTF Act)
It is an offence to intentionally make funds available to an organisation (whether directly or indirectly) if that organisation is a terrorist organisation and the offender knows, or is reckless as to whether, the organisation is a terrorist organisation. The AML CTF Act requires entities to report ‘suspicious matters’ to the Australian Transaction Reports and Analysis Centre when that entity has reasonable grounds for suspicion in relation to that matter. The ambit of suspicious matters is very broad and is taken to include matters that may be relevant to the investigation of offences relating to financing terrorism or money laundering.
While it is unlikely paying a ransom would cause a company to breach these laws, companies paying a ransom should consider what they know of the entity demanding a ransom and determine whether payment to such an entity would be a reportable suspicious matter.
Ransomware Payments Bill 2021
The Bill reflects a small part of Labor’s larger National Ransomware Strategy released earlier this year. While not yet law (and perhaps realistically only likely to be implemented under a Labor-led Australian Government), the Bill provides some insight into current thinking around ransomware regulation.
The Bill seeks to require entities who make ransomware payments to report details of these payments to the ACSC. Such notification must set out:
- the name and contact details of the entity;
- the identity of the attacker (or any information known about the attacker by the entity); and
- a description of the ransomware attack, including the cryptocurrency wallet to which payment was requested to be made, the amount of the ransom paid, and any ‘indicators of compromise’ known to the entity.
The Bill stipulates a civil penalty of 1,000 penalty units for failure to notify the ACSC ($1,110,000 for body corporates). Disclosing entities are protected from having evidence used against them in criminal proceedings, except for proceedings under sections 137.1 or 137.2 of the CCA (relating to false or misleading information and documents).
The ACSC can disclose any of the information contained in the notification to any person (including to the public at large) for the purpose of informing those persons of the current cyber security threat environment. To the extent that personal information is included in the notification, it must be deidentified. The ACSC can also share the information (without deidentification) to any Commonwealth, State or Territory agency for law enforcement purposes. Relevantly for businesses, the ACSC would always be able to share publicly that an entity made a ransomware payment.
Proposed personal liability for company directors
Home Affairs Minister, Karen Andrews, recently noted that cyber-attacks create a significant handbrake on economic growth and digital security in Australia. To combat this, the federal government has been in conversation with industry about the potential introduction of extra responsibilities for directors of large Australian companies for lapses in cyber-security, similar to those already in place for workplace health and safety breaches. It is not yet clear what form these responsibilities will take, and whether they will be managed via a mandatory or voluntary regime.
The federal government has opened consultation on options for these regulatory reforms, with interested stakeholders encouraged to provide a submission to the discussion paper via this submission form before 11:59pm on Friday 27 August 2021.
Should paying a ransom be illegal?
The case for legality
Proponents of maintaining the legality of ransom payments point out that banning ransom payments could create a game of chicken where criminals would be incentivised to target companies least able to afford downtime (such as hospitals, school, energy providers and other critical infrastructure operators) in order to maximise the likelihood they get paid. There would be very little to lose by doing this, with the risks to the public and society being great.
Even if companies have uncompromised backups, and so theoretically need not pay a ransom to restore their systems or data, restoration from backups may not be practical. For example, in the case of the Colonial pipeline ransomware attack, the CEO made the decision to pay the ransom due to the criticality of the infrastructure affected and a lack of certainty over how badly Colonial’s systems were breached or how long it would take to bring them back online. Criminalising the payment of a ransom could result in longer disruptions to critical infrastructure as a result of the inability of the ransomware victim to quickly restore their systems via payment of the ransom. Criminalising ransom payment may also force companies that cannot afford to be without their systems to choose between bankruptcy or the payment of a ransom in secret. A company secretly paying a ransom would be at the mercy of the perpetrators of the attack, who could extort the company (using a RaDE model) for more money by threatening to reveal the illegal ransom payment.
The case for illegality
The ACSC recommends that victims of ransomware attacks do not pay a ransom as there is no guarantee that paying a ransom will unlock their systems. It argues that payment of a ransom may even increase vulnerability to future attacks by demonstrating ‘weakness’. Instead, they recommend restoring files from a backup and seeking further advice relating to the attack. Of course, this approach is only viable if the victim has a backup from which to restore the data.
The main argument for making ransom payments illegal is that paying a ransom creates a revenue stream for the perpetrators of the attack. It incentivises criminal behaviour. For this reason, the FBI does not recommend paying ransoms. Every ransom dollar paid increases the capacity, and incentive, to carry out further attacks. Jurisdictions, and companies, that pay ransoms may even be targeted multiple times as they are seen as attractive targets.
Any plan to make the paying of ransoms illegal will need to ensure there are well thought out victim-support mechanisms in place to help companies who suffer a ransomware attack. Large insurers have come out in strong support of a ban on ransom payments as it means they would no longer have to provide coverage for ransom payments. However, for a ransom ban to succeed, governments will need to provide companies with sufficient resources and support to be able to prevent, or adequately endure, ransomware attacks.
Won’t insurance pay for it?
As stated above, the frequency of ransomware attacks, and the amounts being demanded, are rapidly increasing. As a result, in the near future (and, in some cases, currently) insurers may cease to provide cover for ransomware attacks (or will increase their premiums so substantially as to make the insurance unviable). Similarly, some insurers appear to have come under pressure from government to disincentive the payment of ransoms. For example, AXA recently ended its ransomware coverage policies in France due to a request from the French government.
Some insurers have also started requesting new evidence and validation from policyholders to prove that their security controls are adequate. This is a complex process, and many insurers still rely on self-attestation. However, as insurers move to a more data-driven model, this may translate into third-party audits of large companies before an insurer will underwrite its policy.
Insurance companies are also at a disadvantage as the amount they are paying out is often the amount covered by the policy. This is because the perpetrators of ransomware attacks already have access to a victim’s system and many search through the victim’s emails for evidence of a cyber insurance policy. If they find one, they can tailor their ransom demand to the maximum coverage amount under the policy. This maximises both the amount they receive and the likelihood of receiving it.
How can companies protect themselves?
Many ransomware attacks are not targeted, but apply a scattergun type approach – searching for companies with weak security controls to attack. Many systems are compromised due to poor password management or lack of multi-factor authentication (MFA). Hackers will often trawl the web searching for systems they can access using simple passwords, such as ‘password’. The best way to protect against these attacks is to strengthen your company’s cyber security controls.
The FBI and ACSC recommend the following actions to strengthen cybersecurity controls against ransomware:
- Keep operating systems, software, and applications current and up to date, ensuring that automatic updates are turned on
- Turn on MFA
- Implement access controls that control who can access what on your devices
- Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans
- Turn on ransomware protection if available for your system
- Back up data regularly and double-check that those backups were completed
- Secure your backups. Make sure they are not connected to the computers and networks they are backing up
- Create a continuity plan in case your business or organization is the victim of a ransomware attack
- Remain vigilant and informed about the threat environment – the ACSC offers a free alert service to help maintain vigilance that notifies registered entities of when a new cyber threat is identified
You can find more information on how to prepare yourself for a cyber incident in our article – Can you hack it? Are you prepared for a cyber incident?.