During a ransomware attack, a victims vital internal processes are seized and encrypted, completely forcing their business offline. These crippling actions are only reversed if a ransom payment is made.
Ransomware attacks are an escalating threat to global security and the Australian Government is taking a firm stance against it.
To maximize the efficacy of defense efforts, Australia has joined forces with 31 other countries to establish a unified international response to ransomware threats.
This official agreement, known as the Counter Ransomware Initiative, covers a range of actions including, cyberattack resistance, cybercriminal operation disruption, and countering illicit financial activities.
In addition to international cooperation, on 13 October 2021, Australia released a new Ransomware Action Plan outlining its personal initiatives for combatting and disrupting ransomware and cybercrime on the dark web.
For a breakdown of Australia's Ransomware Action Plan, its efficacy, and impact on Australian businesses, read on.
Overview of Australia's Ransomware Action Plan
Australia's Ransomware Action Plan can be summarized in 11 primary initiatives.
- Mandatory reporting for Australian businesses with annual turnovers of more than A$10m.
- Stricter criminal offenses linked to cybercrime will be introduced.
- There will be an increased focus on holding cybercriminals accountable for their actions.
- Purchasing and selling malware for cybercrime will become a punishable crime.
- There will be a strong focus on bolstering critical infrastructure security.
- A plan will be developed to empower law enforcement agencies to seize ransomware payments in cryptocurrency and disrupt cybercrime profits.
- A multi-agency task force spearheaded by the Australian Federal Police (AFP) - The Operation Orcus Task Force - will be established to manage all sectors of the Ransomware Action Plan, including international cyber-defense campaigns and the delivery of clear cybersecurity advice for all Australian businesses.
- The Australian Government will even criminalize possessing stolen data knowingly obtained from separate criminal offences.
- A stand-alone offensive for cyber criminals planning to target critical infrastructures will be established.
- A$164.9m will be allocated to a cybercrime budget, with almost A$90m to fund an additional 100 AFP staff focused on fighting cybercrime.
- Increased penalties for depriving victims of their data and publicly releasing sensitive data.
How Effective is the Ransomware Action Plan?
Overall, Australia's Ransomware Action Plan is a commendable step forward in the fight against ransomware attacks.
This initiative has significant potential because it disrupts the three pillars supporting ransomware attack success:
- Pillar 1: The delivery of ransomware payments.
- Pillar 2: The exploitation of critical infrastructure vulnerabilities.
- Pillar 3: The expansion of ransomware operations.
Disrupting Ransomware Payments
The solution to the rising threat of ransomware is actually quite simple - stop paying ransoms. If all victims stopped funding ransomware attacks, the cybercrime wouldn't be profitable enough to pursue.
The problem is that ransomware victims are paying up, despite the F.B.I's urgent warning not to do so. The current response examples being set by high-profile victims is likely to blame - the most notable being Colonial Pipeline's response to its ransomware attack.
To prevent a nationwide transportation catastrophe, Colonial Pipeline paid its hackers nearly $5 million to recover its seized data and resume fuel delivery.
Fortunately, in Colonial Pipeline's case, the attackers followed through with their promises of providing a decryption key after payment. This outcome is unusual because, according to research data, most ransomware cybercriminals do not reverse the damage they caused, despite a ransom being paid.
According to the State of Ransomware 2020 report by Sophos, the average cost of remediation efforts for victims that paid a ransom was double the cost of those that didn't.
The Australian Ransomware Action Plan hopes to finally quell compliance with criminal demands by forcing victims to report ransomware incidents to the Australian Government.
Not only will ransomware incident reporting gather intelligence to further cultivate Australia's cybersecurity strategies, mandatory ransomware reporting will also provide support to victims so that they don't have to contend with these cyberattacks alone.
This Ransomware Action Plan promises the delivery of clear cybersecurity advice for businesses of all sizes to mitigate attacks. It also promises to assist with responding to complicated cyber threats that cannot be handled alone - through the Security Legislative Amendment (Critical Infrastructure) Bill 2020.
These initiatives should prevent the initiation of ransom payments by:
- Filling victim knowledge gaps to support best cybersecurity practices and mitigate ransomware success.
- Offering the support of cyber-threat experts to assist victims with a response that's compliant with the Ransomware Action Plan.
To further minimize the chances of a successful ransomware payment, a final defensive barrier is required should a ransom payment still occur.
This final barrier is the initiative to intercept and freeze cryptocurrency payments - an extremely complicated but possible endeavor.
Bolstering Critical Infrastructure Security
Critical infrastructures are prime targets for ransomware criminals because their operational continuity is vital for the stability of a nation. When they're attacked, victims feel compelled to make a ransom payment to mitigate the impact on national resources.
Australia is very familiar with such attacks, and their devastating potential. While struggling to meet growing patient demands during the pandemic, the Australian aged care and healthcare sectors were continuously targeted in ransomware campaigns.
Legislative reforms will evaluate the current security postures of Australian critical infrastructures to help the Australian Government identify and address vulnerabilities that could facilitate ransomware attacks.
Critical infrastructure cyberattacks tend to be the most sophisticated, so this sector will greatly benefit from the cyberattack response support promised by the Government's Ransomware Action Plan.
Preventing the Expansion of Ransomware Operations
Finally, to depress the rising trend of ransomware attacks, the processes fueling the expansion of ransomware operations need to be disrupted.
The Ransomware Action Plan proposes a two-thronged approach for achieving this:
Firstly, the Government will target and impoverish the distribution of ransomware (ransom software). Because ransomware now has evolved into a subscription service amongst cybercriminals (similar to the Software as a Service model), stopping its distribution will devastate its profit engine, suffocating its growth.
Secondly, the Australian Government is pushing for new criminal offences for ransomware crime, especially when critical infrastructure is being targeted. This initiative could eventually extend to other computer crimes and criminal offences such as data breaches and DDoS attacks.
The effectiveness of this second strategy will be amplified if the first is a success. As ransomware operations stop scaling, the risk of punishment will begin to heavily outweigh the potential of becoming a successful ransomware criminal. This will prompt a rising number of resignations amongst Ransomware-as-a-Service (RaaS) distributors and providers, further accelerating the initiated decline of ransomware attacks.
Each individual pillar feeds the success of its associates. If just one is destroyed, ransomware operations will be severely impeded, but by addressing all three, ransomware gangs will have very little chance of prevailing.
This unique approach to combating the threat of ransomware gives Australia's Ransomware Action Plan optimistic potential.
Limitations of Australia's Ransomware Action Plan
The Ransomware Action Plan isn't perfect. When the Minister for Home Affairs, Karen Andrews, announced the plan, security experts were quick to discover some gaping deficiencies, namely the lack of a Zero Trust approach and a least privilege policy.
The inclusion of a Zero Trust initiative would have aligned the Ransomware Action Plan closer to Biden's cybersecurity executive order.
A strict least privilege policy ensures that access to sensitive resources is only granted to staff that have a critical need for it.
By not including a strict least privilege policy, Australia's Ransomware Action Plan fails to address the threat of social engineering attacks, which could facilitate other forms of cyber extortion.
How Does the Ransomware Action Plan Impact Australian Businesses?
The immediate course of action for all businesses is to achieve ransomware attack resilience by bolstering their cybersecurity programs.
This can be achieved through the following 5 step framework.
Step 1: Reference Cyberattack Prevention Resources
Stakeholders and business owners should begin by establishing a firm foundation in the basics of cybersecurity. The Australian Cyber Security Centre (ACSC) has launched a number of campaigns promoting free resources, which include a comprehensive guide on ransomware.
Here's a short video for the ACSC's ransomware campaign:
The ACSC's free resources on ransomware attack protection for all businesses (including small businesses) can be accessed here.
Keep an eye out on the ACSC website for an expansion of its ransomware resource library. The Australian Government is committing to a $4.9 million investment to fund new national cyber security awareness campaigns.
Step 2: Strengthen Ransomware Attack Notification Mechanisms
Clear and actionable reporting regimes should be established to meet the action plan's strict requirement of timely ransomware incident notification.
Ransomware attacks are grouped with data breaches under the Notifiable Data Breach (NDB) scheme, so they will both share the same reporting channels.
All breaches and ransomware attacks should be reported to the Office of the Australian Information Commissioner (OAIC) within 72 hours.
Step 3: Implement the Essential Eight Framework
The Essential Eight is a cybersecurity framework by the Australian Signals Directorate. This is Australia's most resilient cybersecurity framework against international cyber threats and data breaches.
The Essential Eight includes a privileged access restriction control, which the Ransomware Action Plan was criticized for forsaking.
Implementing this framework will help all Australian businesses, regardless of their current level of cybersecurity, progress to a highly resilient security posture.
Step 4: Implement a Zero Trust Architecture (ZTA)
Zero Trust, a cybersecurity framework developed by NIST, encourages the assumption that all network activity is potentially malicious. This results in stricter privileged access policies and increased monitoring of attack surfaces, maximizing the chances of disrupting cybercriminal activity before ransomware injection.
Step 5: Implement an Attack Surface Monitoring Solution
An attack surface monitoring solution will reveal overlooked security vulnerabilities that could facilitate the injection of ransomware.
For maximum ransomware attack resilience, such a solution must be capable of monitoring the third-party vendor network since this attack surface is a popular initial entry point in a cyberattack sequence.
To raise attack surface security to a world-class level, cybersecurity programs should also include a data leak prevention strategy. This will address sensitive data leaks helping cybercriminals breach IT boundaries faster.