Ransomware payment reporting to be made mandatory under “Cyber Security Bill 2024”
22 Nov 2024, by Slade Baylis
Ransomware is something that we touch on regularly, as it’s one of the most profitable attacks that malicious actors can use to extract value out of their victims. One of the reasons for this is that the effectiveness of the attack scales with the importance of the data they’re able to get access to and encrypt.
When cybercriminals get access to an individual’s data, they may potentially lose access to some of their documents and photos, but most people will choose to accept that loss rather than pay a ransom. With corporate data however, a lot more is potentially on the line when their data is stolen. In what is termed “big game hunting” – where hacking groups go after large organisations specifically - not only is the loss of the data a risk from a breach, but reputational damage, governmental fines, and litigation from customers are all potential outcomes which all could do significant damage to an organisation.
What this results in is large incentives for these organisations to pay out the demanded ransoms, with the hope that they will be able to avoid some of these outcomes. Whilst not guaranteed, they hope that they will be able to get access back to their data, that the breach will not be disclosed, and that they will be able to avoid the public humiliation of having it be known that they were breached.
However, this all may be changing in the near future, as the Australian Government has introduced new legislation - originally proposed back in 2021 - to put in reporting requirements on organisations that are breached.
What is the “Cyber Security Bill 2024”?
With all this on the line, it shouldn’t be much of a surprise to know that a large percentage of organisations do choose to pay when faced with a ransom demand. The cost of paying a ransom can often be considerable. However, when compared with the cost of rebuilding or recovering systems, or the cost of losing data entirely, an easy case can be made that the ransom price is worth it. This is one of the things that has prompted the government to introduce the first standalone cybersecurity bill last month, aimed at protecting consumers and businesses form the cybercrime, called the Cyber Security Bill 2024.
The measures were originally proposed back in 2021 in a comprehensive ransomware action plan released by the federal government, which was created in response to a rise in the number of ransomware incidents. As reported by IT News1, the “mandatory ransomware incident reporting” regime was at the top of their list to implement, with the aim to enhance government “understanding of the threat and enable better support to victims”. That proposed legislation has now been introduced to parliament, which – if passed – would require victims of ransomware attacks who make payments to report the payment to authorities.
The laws would also include obligations on the ASD (Australian Signals Directorate) and National Cyber Security Coordinator, restricting how this information provided to them can be used. As reported by The Conversation2, the government hopes that this new legislation - in combination with the obligations on the ASD - will help them track cybercriminal activities, understand how much money is being lost to ransomware, as well as “encourage organisations to more openly share information, knowing it will be safeguarded”.
In addition, part five of this Cyber Security Bill 2024 establishes the CIRB (Cyber Incident Review Board) as an independent review body. This board will be tasked with conducting no-fault investigations after significant cyberattacks, including possessing the ability to compel information from entities involved in a cybersecurity incident, but only where voluntary requests for information have been unsuccessful. From these investigations, insights would be shared with the Australian Government and industry at large about what improvements could have been made to prevent the breach, anonymised for the protection of the victims involved.
The potential future criminalisation of ransomware payments
Back in late 2022, the federal government announced that it was considering introducing new laws to make it illegal for organisations to pay ransomware demands3. With that being the case, these mandatory reporting requirements may potentially only be the beginning.
It’s no secret that the primary reason for the prevalence of ransomware attacks is the number of organisations that do choose to pay out. If no organisations chose to pay, then cybercriminals would have much less funding to help them develop new and inventive ways of breaking into their next victim’s systems. It’s for this reason that the government is considering taking this next step and outright banning payments to cybercriminals in response to ransom requests.
Whilst an outright ban would mean that an individual victim would be restricted in how they can legally respond to such an attack and potentially be worse off, the hope is that it would reduce the number cybersecurity threats that Australians face overall.
However, there are many who oppose the outright banning of ransom payment. One large critique levelled against an outright ban is that it will likely fail to discourage cybercrime at all. The thinking there is that even with an Australia-wide ban, the developers and distributers of ransomware will continue to receive funding from international sources, resulting in the legislation effectively just punishing Australian businesses.
In some particularly bad cases, ransomware attacks can encrypt all the computers, data, and backups a company has. If these companies are prohibited from paying for their decryption, they may have no other way of continuing to operate.
Review your security posture and properly protect your backups
As with any cyberthreat, our recommendation is to conduct a full review and audit of your systems to ensure you’re as protected as possible. In addition, security services such as internal and external vulnerability scanning, Web Application Scanning (WAS), and penetration testing are great ways to know if you’re vulnerable to potentially being breached.
Looking to protect all your different end-points via EDR (Endpoint Detection and Response) services - and not just relying on anti-virus software – is also going to be important for protecting your systems. Check out our previous With 80% of malware evading antivirus applications, signature-based protection isn’t enough anymore article for more information on this.
Finally, making sure your systems are backed up securely is key, as implementing backups means that if your systems are ever breached, you’re not at the mercy of malicious third-parties and their “goodwill” in order to get your data back. Specifically, making sure your backups are configured in a way that they themselves aren’t vulnerable to attacks that look to move laterally through your infrastructure is crucial. If your backups aren’t isolated from the systems they’re backing up, it’s possible and even likely that they too will be compromised if one of your systems gets breached!
Have any questions about how best to protect your systems from ransomware?
If you’re concerned about ransomware and would like to discuss options about how to better protect your systems and data, let us know! We’re happy to take a look at your environments and provide specific guidance on how things can be improved.
You can reach us via email at sales@micron21.com or via phone at 1300 769 972 (Option #1).
Sources
1, IT News, “Gov brings cyber security bill before parliament”, <https://www.itnews.com.au/news/government-plans-mandatory-reporting-new-offences-for-ransomware-crackdown-571184>
2, The Conversation, “The Australian government has introduced new cyber security laws. Here’s what you need to know”, <https://theconversation.com/the-australian-government-has-introduced-new-cyber-security-laws-heres-what-you-need-to-know-240889>
3, Clifford Gouldson Lawyers, “The Criminalisation of Ransomware Payments”, <https://www.cglaw.com.au/the-criminalisation-of-ransomware-payments/>
