Should Australian Businesses Pay Ransoms to Cybercriminals?

The Australian Cyber Security Center (ACSC) strongly advises against paying ransoms of any amount to cybercriminals. In some circumstances, these payments could even be illegal.

The Australian government is tightening its cybersecurity regulations to align with the United State's new stance on nation-state threats. As a result, there have been significant changes to how Australian businesses are expected to respond to cyberattacks.

In this post, we will discuss some of the major reforms impacting ransomware attacks, data breaches, and cybersecurity best practices.

Is it Illegal For Australian Businesses to Pay Ransoms to Cybercriminals?

It is a serious offense to give money to criminals or to knowingly fund criminal activities. Because of this, ransom payments may be classified as illegal and should be avoided.

For more information, see the Criminal Code Act 1995, and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

Because of these regulations, businesses in Australia must implement sophisticated cybersecurity solutions to avoid facing a scenario where a ransom payment is being demanded.

This call to strengthen cyber resilience against ransomware attacks is especially important in the current threat climate because one of Australia's fastest-growing threats is ransomware attacks.

The sudden spike is a result of the criminal world's adoption of business principles. The development of ransomware (ransom software) has made it possible to monetize ransomware attacks, and the adoption of the Ransomware-as-a-Service model (a variation of the SaaS model), has made it possible to rapidly scale these attacks to maximize profits.

In the last 12 months, two major ransomware attacks threatened Australia's security:

  • JBS Foods - A global meat distributor employing over 11,000 Australians across 47 sites. The company ended up paying the $14.2 million ransom to end the 5-day cyberattacks halting its operations.
  • Nine Entertainment - The ransomware attack against the media company caused major broadcast disruptions.

Here are some concerning stats:

According to a report by Crowdstrike, over two-thirds of Australian organizations suffered a ransomware attack between 2019 and 2020, and of these victims, 33% paid the ransom.

A considerable subset of Australian Ransomware attack victims is giving in to criminal demands, despite the strong recommendation not to do so by the ACSC.

Australian Businesses May Have to Disclose When they Make Ransom Payments

The combination of ransomware attackers achieving their objectives, and the proliferation of these attacks targeting Australian businesses, has fueled the proposal of a controversial Labor bill that, if passed, would force Australian organizations to disclose whenever they pay a ransom.

The Ransomware Payments Bill 2021 instructs ransomware attack victims to contact the Australian Cyber Security Centre (ACSC), ideally, prior to making a ransom payment.

The goal is to mitigate compliance with cybercriminal demands by offering victims alternative options that may not have been considered. A desirable by-product of this assistance is to also provide law enforcement entities with intelligence that could help target criminal groups.

Details of interest include::

  • The ransom amount being demanded (usually this will be a bitcoin amount)
  • Cryptocurrency wallet details provided for the ransom payment
  • Indicators of compromise

The proposed bill does not specify the ramifications of non-compliance, it simply promises that failure to notify the ACSC will attract a penalty.

Read the Ransomware Payments Bill 2021.

How Can Australian Businesses Prepare for the Ransom Payments Bill 2021?

There's a significant probability that this bill, or a future modification of it, will pass. This is because Australia is currently reassessing its cyber resilience.

The 2020 cybersecurity strategy is being criticized for being vague and unambitious compared to the strategy launched by former Prime Minister Malcolm Turnbull in 2016. And currently, there are no clear cybersecurity standards for Australian businesses.

To prepare for such a bill, organizations should start strengthening their security postures to eliminate attack vectors that could facilitate ransomware injections.

This process begins with the implementation of the Essential Eight cybersecurity framework. The Essential Eight will become mandatory for all 98 non-corporate government entities, but the ACSC recommends all Australian businesses to adopt itç

The ACSC also warns that the Essential Eight should not be considered a comprehensive cybersecurity program, it's merely the minimum baseline of security. In addition to this, businesses must introduce additional cybersecurity solutions.

In addition to this, a reliable and accurate reporting process should be implemented to efficiently communicate ransomware attack details with the Australian Cyber Security Centre.

The details of such a reporting protocol should be clearly outlined in an Incident Response Plan.

Currently, all cyber attack events can be reported to the ACSC via the ReportCyber portal.

Do Australian Businesses Need to Report Data Breaches?

Under the Notifiable Data Breach scheme that was introduced in 2018, entities with an annual turnover of more than AU$3 million must report all data breaches to the Office of the Australian Information Commissioner (OAIC), if they could result in serious harm.

Entities in this qualifying category are covered by the Privacy Act 1988. They include:

  • Australian Government agencies
  • Non-for-profit businesses
  • For-profit businessses
  • The private sector health service providers
  • Credit reporting bodies
  • Credit providers
  • Businesses that trade in personal information
  • Tax file number (TFN) recipients

For more information, see part 4 of the Notifiable Data Breach Scheme.

Under the Notifiable Data Breach Scheme, the following data breaches must to be reported to the OAIC) within 72 hours.

  • Data breaches that result in personal information being accessed, disclosed, or lost.
  • Data breaches with the potential of causing harm to one or more individuals.
  • When the compromised entity is unable to prevent such risk of harm through remedial action.

The classification and degree of 'personal harm' is subjective, All data breaches have the potential of causing harm. Even if just an email address (which is generally liberally published online) is compromised, the owner could be targeted in phishing attacks.

To avoid misinterpreting the severity of a data breach, it's best practice to report every data breach incident to both the OAIC and the Australian Cyber Security Centre.

For guidance on how to prepare and execute a formal data breach response under the Privacy Act 1988, refer to this document by the OAIC.

Top 6 Ways Australian Businesses Can Prevent Data Breaches

The Office of the Australian Information Commissioner (OAIC) regularly publishes data breach statistics based on all of the breach notifications received under the Notifiable Data Breaches (NDB) scheme.

if Australian businesses adjust their cybersecurity programs to address these vulnerabilities the risk of data breaches could be reduced.

Here's a summary of the key findings from the data received between 1 July and 31 December 2020.

  • Data breaches caused by human error accounted for 38% of notifications.
  • The top category of human error was personal information sent to the wrong email recipient
  • Contact information was the top category of breached data.
  • The healthcare sector accounted for the highest number of data breach reports (23%), followed by the finance sector (15%)
  • Most data breaches were identified within 30 days.
  • Most organizations notified the OAIC of data breaches within 30 days.
  • Cyber incidents account for 68% of all data breaches.
  • The top 3 cyber incidents were - phishing attacks, compromised credentials, and ransomware attacks.

Based on this intelligence, Australian businesses should take the following precautions to mitigate the risk of data breaches.

Read more on how Australian businesses can protect themselves from data breaches.

1. Teach Staff to Identify Cyber Threats

Human error is the leading cause of data breaches in Australia. This statistic isn't just characteristic of Australian businesses, a joint study between Standford University and security firm Tessian found that about 88% of all data breaches were caused by an employee error.

The solution is simple, teach employees how to identify and respond to cyber threats. The following resource can be used for cyber threat awareness training in the workplace:

2. Implement Multi-Factor Authentication (MFA)

In addition to cyber threat awareness training, multi-factor authentication should be implemented across all end-points, especially on remote devices.

Even after the most stringent training, employees can still fall victim to cybercriminal trickery, especially when reservations become clouded by lack of sleep and stress.

The delays created by Multi-Factor Authentication could disrupt manipulated actions and force employees to consider the ramifications of each login attempt.

3. Implement the Essential Eight Framework

The Australian Signals Directorate (ASD) recommends the Essential Eight for all Australian businesses because it's very effective. The eight cybersecurity controls will raise the baseline of your cyber resilience, creating a favorable foundation to build upon with additional cybersecurity strategies.

Learn more about implementing the Essential Eight framework.

4. Implement a Data Leak Detection Solution

According to the OAIC, most data breaches were reported within 30 days. This reporting timeline should be significantly reduced. The longer sensitive data remains in the hands of cybercriminals, the higher the damage that can be inflicted with it.

After cybercriminals exfiltrate sensitive data, they usually publish it for sale on the criminal-infested dark web, exposing it to further compromise. A data leak detection solution can detect when sensitive resources have been exposed so immediate remedial efforts can be initiated.

Such a solution could alert Australian businesses when they've fallen victim to a clandestine data breach operation which will increase the chances of recovery and improve data breach notifications to the OAIC.

5. Implement a Third-Party Risk Management (TPRM) Solution

Cyberattacks targeting the Australian health sector are on the rise. The healthcare, finance, and law industries are the usual victims of ransomware attacks because of the valuable data they store. Cybercriminals know these industries have much to lose if their data is compromised and they'll pay top dollar to salvage it.

A common attack vector in such ransomware attacks is through a compromised third-party vendor. A third-party data breach occurs when a vendor is compromised to gain internal access to a victim. These attacks, also known as supply chain attacks, are becoming very popular because cybercriminals only need to compromise a single victim to breach multiple targets.

Such 'backdoor' access can be mitigated with a Third-Party Risk management solution. TPRM solutions detect vulnerabilities throughout the vendor network that vendors themselves overlook. This allows the exposures to be remediated before they're detected and abused by cybercriminals.

6. Implement a Zero Trust Architecture (ZTA)

A Zero Trust Architecture (ZTA) is one of the most resilient cybersecurity frameworks, this is why its implementation is a mandatory requirement of President Biden's cybersecurity Executive Order.

A ZTA assumes that all network activity is malicious unless proven otherwise. Users need to pass three laters of authentication to be granted network access:

  • Stage 1 - The verification of all users
  • Stage 2 - The verification of all user devices
  • Stage 3 - The verification of all access privileges.

Because the ZTA methodology is predicated on latitudinous awareness, it's most effective when implemented alongside solutions that monitor exposures across the entire attack surface.

UpGuard Protects Australian Businesses from Data Breaches

UpGuard helps Australian businesses prevent data breaches by detecting and remediating vulnerabilities and data leaks that could facilitate data breaches. This protection also extends to the entire third-party network. Find out why hundreds of companies choose UpGuard to help manage their attack surfaces and third-party risk!

Ready to see
UpGuard in action?