Endpoint Security , Fraud Management & Cybercrime , Ransomware
Australia Plans Ransomware Attack Reporting RequirementRansomware Action Plan Features New Criminal Penalties and Victim Assistance
Australia plans to require larger businesses to report ransomware attacks to the government, as part of a comprehensive strategy that also includes new criminal penalties and assistance for victims.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The government released its 16-page Ransomware Action Plan as Australian businesses, school districts, hospitals and other organizations continue to be hammered by ransomware. But some components of the plan would need to be passed by Parliament, which has only four sitting weeks left this year. Also, a federal election must be held by May 2022, which could delay passage.
Labor member of Parliament Tim Watts has been calling for a national ransomware strategy since February. In a joint statement with Labor Sen. Kristina Keneally, Watts says it's good the government has acted but it should have taken action sooner (see Australia Considers Mandating Ransom Payment Reporting).
The government has "failed to act for months despite an onslaught of attacks against Australian organizations this year including multiple health and hospital networks, the Nine Network, and JBS Meats, our biggest meat supplier," Watts says.
Dozens of Australian organizations have been hit by ransomware, and some victims are known primarily because attackers frequently dump stolen data publicly to increase the pressure on victims to pay. The problems caused by ransomware have also forced some businesses to make public statements about how and why they have been disrupted, further bring such attacks to light.
But like elsewhere in the world, the full scope of the problem in Australia is unknown due to a lack of complete information about who's fallen victim. Accordingly, Australia's new action plan requires organizations with annual revenue of more than 10 million Australian dollars ($7.3 million) to report any ransomware incident.
The reporting requirement is intended to help the government "better support" victims of ransomware and understand the threat, according to a news release from Home Affairs Minister Karen Andrews.
The ransomware plan also emphasizes that the government does not condone paying a ransom.
"Paying ransoms is critical to the ransomware perpetrators' business model and will make Australia a more attractive target for criminals," it says. "Paying a ransom does not guarantee a successful outcome - encrypted systems may not be restored, sensitive data may be released or sold to other perpetrators and victims may be targeted multiple times."
Banning ransomware payments has been suggested as one tactic for battling such crime. But critics of the idea say paying may be the only option for some organizations, which would otherwise be forced to go out of business. It also means that victims could be potentially punished twice: once by cybercriminals who disrupt their systems, and then again by prosecutors if they opt to pay a ransom, rather than turn out the lights.
Australia's moves come as White House National Security Council launched a two-day meeting on Wednesday with more than 30 countries to develop ways to better fight ransomware. Notably not on the guest list: Russia, where many experts believe many ransomware-wielding attackers live, as well as China.
The goal of the White House meeting, which is being held virtually, includes fostering closer law enforcement ties, addressing the role of cryptocurrency in ransomware payments and improving diplomatic efforts. (see US Convenes Global Ransomware Summit Without Russia).
New Criminal Penalties
In terms of Australia's approach, one arm of the new action plan includes a proposal for stricter criminal penalties for anyone who launches a ransomware attack. The government also wishes to introduce a standalone criminal offense for cyber extortion.
The plan also calls for developing aggravated offenses for attacks against Australia's critical infrastructure. The measure would be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The action plan mentions the May security incident involving Colonial Pipeline Co. in the U.S., in which the company shut down its petroleum pipeline as a safety precaution following a ransomware attack (see Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
Another prong of the plan would ensure that Australian law enforcement can "track, seize or freeze ransomware gang's proceeds of crime." The use of cryptocurrencies such as bitcoin and monero have helped fuel the success of ransomware schemes.
While those cryptocurrencies can be difficult to trace, it is not impossible, and private companies such as Chainalysis have aided U.S. government agencies such as the IRS in investigations. Also, close monitoring of cryptocurrency exchanges, where the virtual currency can be turned in cash, also pose opportunities for investigators.
Domestic law enforcement will also increase its focus on ransomware. A multi-agency task force called Operation Orca will be created and run by the Australian Federal Police.
Australia's spies are set to get a piece of the action too. The government intends to use the Australian Signal Directorate's "offshore offensive cyber capabilities to disrupt foreign cybercriminals targeting Australian households and businesses."
The ASD is Australia's equivalent to the U.S. National Security Agency. The government has previously tasked ASD with running offensive cyber operations, which has included disrupting terrorism-related activity and overseas cybercriminal groups (see Combating Ransomware: Lawmaker Wants Spies 'Hacking Back').
Another part of the action plan is helping Australian organizations better defend themselves against ransomware.
Such efforts are already underway. The Australian Cyber Security Centre has produced the Ransomware Attacks - Prevention and Protection Guide as well as Emergency Response Guide. In December, the ACSC also launched a campaign called Act Now, Stay Secure, which provides advice for dealing with ransomware.
"Strengthened response mechanisms for ransomware victims will help protect Australia and reduce the incentive to pay ransoms," the report says.