Exfiltrate, encrypt, extort: the global rise of ransomware and Australia’s policy options
15 Jul 2021|

Ransomware attacks are now a global epidemic and Australia is a prime target. That’s because ransomware is scalable, ransomware attacks can be commoditised and ransomware criminals are essentially ‘guns for hire’.

Bringing a huge organisation to a grinding halt can cost as little as $66—the measly outlay for some ‘advanced’ ransomware tools sold on the dark web. It’s a low cost for a potentially lucrative reward. On the flipside, the cost for victims to respond and recover from ransomware attacks can run into many millions.

Over the past 18 months in Australia, major logistics company Toll Holdings has been hit twice; Nine Entertainment fell prey, struggling to televise news bulletins and produce newspapers; and global meat supplies were affected after Australian and international operations of JBS Foods were brought to a standstill.

In a new policy report for ASPI’s International Cyber Policy Centre, Anne-Louise Brown and I argue that there’s a policy vacuum in Australia that makes it an attractive market for ransomware attacks, and that the problem will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed. The number of attacks will continue to grow if urgent action isn’t taken to reduce the incentives to target Australian companies and other entities.

All governments, civil-society groups and businesses—large and small—need to know how to manage and mitigate the risk of ransomware, but organisations can’t deal with the attacks on their own. There is a central role for government to play.

While there’s no doubt ransomware is difficult to tackle using traditional law enforcement methods because the criminal actors involved are usually located offshore, there are domestic policy levers that can be pulled to support cybersecurity uplift across the economy. Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response.

There needs to be greater clarity regarding the legality of ransomware payments, increased transparency when attacks do occur, the adoption of a mandatory reporting regime and incentivisation for businesses to bolster their cyber defences through tax, procurement and subsidy measures. Australia would also benefit from the establishment of a dedicated cross-departmental ransomware taskforce, similar to that recently launched by the US Department of Justice.

When a ransomware attack occurs, any payment made has legal implications, but in Australia the legality of such a payment is murky at best. This is an issue that needs to be addressed with haste, without the burden of bureaucratic process and a regulatory quagmire. Importantly, criminalising ransomware payments isn’t the solution. Mandatory reporting of ransomware attacks, however, should be considered. A non-punitive model would foster an information-sharing culture without fear of legal consequences for organisations that pay ransoms, not punish victims twice.

Transnational cyberattacks are a serious concern for Australians. The recently published results of the 2021 Lowy Institute poll found 98% of respondents viewed ‘cyber attacks from other countries’ as a critical (62%) or important (36%) threat to Australia over the next decade. That makes transnational cyberattacks the highest ranking of the 12 threats to Australia’s vital interests respondents were asked about—more of a concern than climate change, global pandemics, international terrorism, severe economic downturn and Australia–China relations.

As it stands, there’s a dearth of official public data relating to ransomware attacks in Australia. For example, in 2019–20 the Australian Cyber Security Centre reported an increase in the number of domestic ransomware attacks, but no specific metrics were released. This is in stark contrast to the US, which has a much more transparent reporting system. The FBI publicly reported that it recorded 2,474 ransomware incidents in 2020, amounting to US$29.1 million in economic losses.

Ransomware isn’t an abstract possibility. In Australia, the threat’s right here, right now and isn’t going away. There’s a key role for the Australian government to play in leading the way, but tackling ransomware is a shared responsibility.

While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support.

The ongoing ransomware attacks that continue to strike unabated around the world must act as a red flag. And, because we’ve been warned, we need a plan.