The threat of ransomware


Bernie Lai, Foreign Affairs, Defence and Security

Key issue

The ransomware threat is the most serious cybercrime threat to Australia, creating significant risks for both governments, businesses and individuals. During the 46th Parliament, both major parties released their respective strategies and introduced relevant law reforms to tackle this threat. The 47th Parliament is likely to see continued legislative and policy actions to address the problem, given the evolving nature of ransomware, the cost inflicted on its victims, and the practical difficulties involved in combating it. In particular, law enforcement agencies and businesses alike face shortages of qualified staff, while investigation and prosecution of offenders who can be based anywhere in the world, can have low prospects of success.

Cybercrime takes many forms, including identity crime, computer hacking, phishing, botnet activity, computer-facilitated crime, and cyber intrusion directed at private and national infrastructure. However, in 2021, the Australian Cyber Security Centre (ACSC) labelled ransomware as the most serious of the cybercrime threats to Australia due to its high financial impact and other disruptive impacts to victims and the broader community (p. 16).

Ransomware is malicious software used by threat actors to look for vulnerabilities in the IT systems of individuals or organisations and deny them access to their files or devices (by locking up, encrypting or exfiltrating data) until a ransom is paid. If a ransom demand is not met within the designated timeframe, then the threat actors may sell, publish or delete the exfiltrated data. This makes the threat of ransomware attacks both a national security and personal privacy issue.

The Morrison Government introduced a number of policy and law reform initiatives during the latter part of the 46th Parliament, some of which lapsed on prorogation. The Albanese Government’s appointment of the first dedicated Minister for Cyber Security, and its commitment to a ransomware strategy while in Opposition, suggest that this issue may again be on the agenda in the early months of the new Parliament.

Recent trends

The 2022 Verizon data breach investigations report found that the number of ransomware attacks worldwide increased by 13% over 2020–21, which represented a larger increase than the past 5 years combined (p. 7). Meanwhile, CrowdStrike Intelligence, apparently using a different methodology, observed an 82% increase in ‘ransomware-related data leaks’ from 1,474 instances in 2020 to 2,686 instances in 2021.

According to a survey conducted by Sophos, 66% of organisations worldwide were affected by ransomware attacks in 2021, which was up from 37% in 2020 and represented a 78% increase over a year (p. 3). This trend suggested that threat actors had become more adept at executing the most significant attacks at scale and likely reflected that the Ransomware-as-a-Service (RaaS) model was gaining traction (p. 3). With ransomware having evolved into a subscription service, the RaaS model allows ordinary criminals to purchase ransomware from skilled ransomware developers and conduct attacks without significant technical expertise.

Consistent with these global trends, ransomware attacks have also proliferated in Australia. The ACSC received almost 500 ransomware-related cybercrime reports in the 2020–21 financial year, which represented an increase of nearly 15% on the previous financial year. The ACSC attributed this increase to threat actors being more willing to extort money from particularly vulnerable and critical elements of society. Australia’s health sector has been a major target of ransomware attacks during the COVID-19 pandemic, as threat actors take advantage of the perceived willingness of health service providers to pay ransoms due to the health and safety risks to their patients.

Further, Cybersecurity Ventures predicted 5 years ago that the global cost of ransomware would be US$20 billion in 2021 and expects that number to increase to US$265 billion annually by 2031. In Australia, it has been said that ransomware incidents cost the Australian economy as much as $2.59 billion annually, with organisations reportedly paying on average $250,000 per incident.

Coalition Government’s Ransomware Action Plan

In October 2021, the Morrison Government published its Ransomware action plan (RAP), which outlined its strategic approach to combating the threat posed by ransomware. The RAP stated that the Morrison Government would:

  • introduce a mandatory ransomware incident reporting scheme to the Australian Government
  • introduce a new stand-alone offence for all forms of cyber extortion
  • introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (proposed in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 [2021])
  • modernise legislation to ensure that cybercriminals can be prosecuted, and that law enforcement can track, seize or freeze their illegal profits.

Home Affairs Minister Karen Andrews also announced in a related media release that as part of the RAP, the Morrison Government would criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, as well as the buying or selling of malware to commit computer crimes.

The RAP also proposed a range of policy and operational responses to the ransomware threat including:

  • establishing the multi-agency taskforce, Operation Orcus, led by the Australian Federal Police to combat the ransomware threat
  • awareness training and clear advice for critical infrastructure, large businesses and small to medium enterprises on ransomware payments
  • joint operations with international counterparts to strengthen shared capabilities to detect, investigate, disrupt and prosecute malicious cyber actors who engage in ransomware
  • actively calling out states that support or provide safe havens to cybercriminals.

To implement some of the law reforms proposed in the RAP, in February 2022 the Morrison Government introduced the Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (the Coalition’s 2022 Bill). The Bill did not introduce a mandatory ransomware incident reporting scheme as proposed in the RAP. It lapsed on prorogation of the 46th Parliament.

Labor’s National Ransomware Strategy discussion paper

In February 2021 the Labor Party in Opposition released a discussion paper calling for a National Ransomware Strategy (NRS) to reduce the attractiveness of Australian targets to cybercriminals (p. 6). It envisaged that the strategy would contain a range of initiatives to increase the costs of mounting campaigns against Australian entities and to reduce the returns realised from such campaigns by (pp. 8–19):

  • closing the ‘cyber enforcement gap’ by:
    • bolstering cybercrime data collection and publication to better inform policymakers and the public of the scale of the ransomware threat and the effectiveness of the law enforcement response in Australia
    • pushing for greater diplomatic and international cooperation to target ransomware threat actors. This would include through aggressive participation in joint international law enforcement operations and through regional cooperation in the Indo-Pacific to prevent the emergence of new countries that play host to ransomware affiliates (who pay for access to RaaS platforms from ransomware developers)
  • imposing sanctions on ransomware threat actors where enforcement is not possible
  • implementing a clear policy framework on offensive cyber operations that aims to impose costs on ransomware threat actors
  • reducing the returns on investments of ransomware attacks on Australian entities through:
    • imposing controls on ransomware payments
    • targeting rogue cryptocurrency exchanges that enable ransomware payments
    • hardening network security of Australia-based entities
  • introducing strategies to help both public and private sector entities in Australia improve their cyber resilience against the ransomware threat
  • appointing a dedicated minister with responsibility for cybersecurity to signal to adversaries that the Australian Government takes cybersecurity seriously.

In relation to the NRS’s proposal to impose sanctions on ransomware threat actors, it should be noted that the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Act 2021 was enacted in December 2021. The Australian Government can now impose thematic sanctions to address ‘malicious cyber activity’ and ‘threats to international peace and security’, among other things. Of relevance is that in September 2021, the US Government imposed for the first time sanctions against a virtual currency exchange, SUEX, which was found to be responsible for facilitating ransomware payments to cybercriminals associated with at least 8 ransomware variants.

In June 2021, the Shadow Assistant Minister for Cyber Security, Tim Watts, introduced the Ransomware Payments Bill 2021 (Labor’s 2021 Bill), which proposed implementing a mandatory reporting scheme for ransomware payments. Labor’s 2021 Bill would require Commonwealth entities, state or territory agencies, and specified private sector entities who make ransomware payments to notify the ACSC of key details of the attack, the attacker and the payment. This information would be held by the ACSC and used to:

  • share de-identified information to the private sector through the ACSC threat-sharing platform
  • collect and share information that may be used by law enforcement
  • collect and share information to inform policymaking and to track the effectiveness of policy responses.

In August 2021, the Shadow Minister for Home Affairs, Kristina Keneally, introduced an identical Bill into the Senate as the Ransomware Payments Bill 2021 (No. 2). Both Bills lapsed on prorogation.

Key issues arising from the Ransomware Action Plan and the proposed National Ransomware Strategy

The then Shadow Assistant Minister for Cyber Security, who co-authored Labor’s NRS discussion paper, stated that the RAP ‘is totally different from’ the NRS. However, he also said that the RAP ‘has picked up many of the policy ideas’ from the NRS, which suggests there is some degree of similarity between both strategies and possibly some degree of bipartisanship on the ransomware threat. In any event, direct comparisons between the RAP and the proposed NRS should be made with caution, given that the RAP was a formal Australian Government plan while the NRS was an Opposition policy.

One of the key features of the RAP was its proposal to further criminalise ransomware-related conduct. In February 2022, the Coalition’s 2022 Bill sought to create new or aggravated offences as proposed in the RAP and increase the maximum penalty for some existing computer offences, among other things. The Parliamentary Library’s Bills Digest on the Coalition’s 2022 Bill notes that these proposed changes ‘represent an increase in the breadth and severity of computer-based offences in Part 10.7 of the Criminal Code [Criminal Code Act 1995] generally, rather than just those related to ransomware activity’ (p. 6).

Meanwhile, noting that prosecutions of ransomware cybercrimes under Commonwealth legislation are rare, Labor’s proposed NRS acknowledged the transnational nature of these crimes and that ‘the likelihood for law enforcement action is so low that it would have little impact on a ransomware crew’s decision to target an Australian organisation’ (p. 8). This might be why the NRS makes no mention of any proposals to create further offences or expand existing offences as proposed by the RAP.

Both the RAP and the proposed NRS had some similar features. Both policy initiatives advocated for increased participation in law enforcement operations with international counterparts to combat the ransomware threat. Both also shared a concern about threat actors’ use of cryptocurrency exchanges that enable ransomware payments. While the NRS proposed to explore with the US Department of Treasury ways of cooperating on international efforts in this regard (p. 17), the RAP sought to modernise legislation to allow law enforcement to tackle cryptocurrency transactions associated with the proceeds of ransomware crimes (p. 6). The Coalition’s 2022 Bill proposed expanding the application of various elements of the framework under the Proceeds of Crime Act 2002 to cryptocurrency exchanges, in addition to financial institutions (pp. 25–26).

Further, the mandatory ransomware incident reporting schemes proposed by the Coalition and Labor shared a notable feature that raised some media attention. Both the Coalition and Labor indicated that to reduce the compliance burdens for small businesses, the regime under either government would not be expected to apply to private sector organisations with an aggregate turnover of less than $10 million. However, this proposed reporting threshold may have implications for achieving the intended purposes of a reporting scheme.

In his second reading speech on Labor’s 2021 Bill, the Shadow Assistant Minister for Cyber Security said that ‘large businesses and government entities’ reporting their intentions to make ransomware payments would:

  • allow the signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going, so they could track and target the responsible criminal groups
  • help others in the private sector by providing de-identified actionable threat intelligence that they could use to defend their networks.

The Explanatory Memorandum for Labor’s 2021 Bill also stated that the purpose of excluding small businesses was to ‘ensure that ACSC has access to high-quality actionable intelligence from the mandatory disclosures’. However, as at June 2021, businesses with an aggregate turnover of $10 million or more comprised only 1.58% of all businesses actively trading in Australia, and therefore, 98.42% were ‘small business entities’ with a turnover of less than $10 million (as defined in section 328-110 of the Income Tax Assessment Act 1997). While those businesses with a $10 million or more turnover represent a high proportion of overall business activity, the exclusion of 98% of Australian businesses from the reporting scheme could mean that aggregated intelligence on the remaining fraction of the private sector would not necessarily give ‘a fuller picture of ransomware attacks in Australia’. Further, as the law firm Clyde & Co has posited:

It’s also a fallacy to assume that small businesses can’t afford to pay ransom demands (and therefore don’t) and so this won’t apply to them. Often – small businesses of this size have cyber insurance which typically covers ransom demands.

Indeed, both major parties acknowledge the ransomware threat to small businesses. In the RAP, the Coalition Government cited ‘taking from small businesses’ as an example of ‘cybercriminals [using] ransomware to do Australians real and long-lasting harm’ (p. 6). It then proposed ‘awareness training and clear advice for … small to medium enterprises on ransomware payments’ as part of its policy and operational response to the threat (p .6). Meanwhile, in the NRS discussion paper, Labor criticised the ‘lack of engagement’ by small (and medium) businesses with the importance of building cyber resilience against the ransomware threat- based on their low usage of the ACSC’s online guidance (pp. 17–18). Labor attributed this lack of engagement to the Coalition Government ‘not effectively communicating cyber security messages to the private sector entities’ (p. 18).

Mandating small businesses to report ransomware payments would be a rather indirect way of addressing any systemic lack of cyber resilience awareness in the private sector, especially where its root cause relates to education and government communication of cybersecurity messages. Even so, it may well be a missed opportunity for the Australian Government to expand the threat intelligence base that would better inform law enforcement, diplomacy and offensive cyber operations if it decided to exclude those ‘disengaged’ small businesses from a ransomware incident reporting scheme due to anticipated regulatory burdens. However, for the scheme to be an effective source of threat intelligence, resourcing of the ACSC as the scheme’s regulator would also be a relevant consideration – regardless of the reporting threshold.

A similar issue is being explored in the ongoing review of the Privacy Act 1988, which contains a mandatory data breach notification scheme and generally does not apply to businesses with an annual turnover of less than $3 million, which comprised about 95.26% of all Australian businesses as at December 2021 (p. 48). According to the Privacy Act review – discussion paper (pp. 40–49), there was a high level of interest from a diverse range of stakeholders who provided submissions on the small business exemption issue. Submitters who opposed removal of the exemption raised the issue of compliance costs for and the regulatory burden on small businesses, while submitters who supported removal of the exemption pointed to consumer expectations, the outdated nature of the exemption due to technological changes and the increased cybersecurity threat to small businesses. It is likely that these arguments will be replicated during any future consultations or debates on the reporting threshold of a mandatory ransomware incident reporting scheme.

Further, pursuant to clause 5 of Labor’s 2021 Bill, private hospitals, medical practitioners or private aged care facilities with an annual turnover of less than $10 million would not be subject to the ransomware incident reporting scheme under that Bill. This might lead to a situation where a private health service provider holding sensitive health information about its patients would be subject to the data breach notification scheme under the Privacy Act, but would not be regulated by the ransomware incident reporting scheme, even though the entity belongs to an industry sector that has been a major target of ransomware attacks – as recognised by both Labor (p. 4) and the Coalition (p. 4). The same goes for all other types of private sector organisations with a turnover of over $3 million but less than $10 million, which are regulated by the Privacy Act but would not be subject to the proposed regime under Labor’s 2021 Bill. 

 

Back to Parliamentary Library Briefing Book

For copyright reasons some linked items are only available to members of Parliament.

© Commonwealth of Australia

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.