Govt to consider making ransomware payments illegal

The federal government will consider making it illegal to pay the ransom demands of cyber criminals as part of its review of the 2020 national cybersecurity strategy.

Home Affairs minister Clare O’Neil confirmed the government would “look at” the complex issue of ransomware payments after a series of high-profile data breaches, including at Medibank.

Medibank last week ruled out paying the ransom following its breach, a decision that saw some of the data leaked on a dark web forum reportedly linked to Russia-backed cybercriminal group REvil.

The government has applauded Medibank’s decision, as paying a ransom fuels the ransomware business model, does not guarantee access to locked systems or data, and can risk repeat attacks.

Minister O’Neil told ABC’s Insiders program the government would consider making payments illegal as part of the policy response to the recent spate of large-scale data breaches.

“There’s some really big policy questions that we are going to need to think about and consult on, and we’re going to do that in the context of the cyber strategy,” she said on Sunday.

The government announced plans to recast the 2020 Cyber Security Strategy in August, with sovereign capability expected to be a specific focus.

In the near term, however, the government is focused on “quick wins”, including a joint standing operation to disrupt cyber criminals, which will initially prioritise ransomware threat groups.

The operation, announced over the weekend, will seek to “collect intelligence and identify ring-leaders, networks and infrastructure in order to disrupt and stop their operations”.

It will consist of 100 officers from the Australian Signals Directorate and the Australian Federal Police.

Last week, former national cybersecurity advisor Alastair MacGibbon said the reasons why a business pays a ransom are never clear cut.

He said the “concept of paying to unlock a computer system is fundamentally different to the concept of paying to ask the criminal to delete the data”, for instance.

“Until someone has walked in the shoes of an… organisation that’s victimised by these criminals, it’s really hard for anyone to judge,” he told ABC’s QandA on Thursday.

“There’s no right or wrong answer when these criminals strike. It’s a serious of least worse decisions and Medibank has made a decision.”

Mr MacGibbon, who is now cybersecurity firm CyberCX’s chief strategy officer, said paying the ransom remains a “legitimate option”, but that it offers no guarantees.

“The reason why it’s still a viable option is we live in a horrendously permissive threat environment,” he said.

“Criminals come up to the door of… all of your houses and all of our businesses every day. They don’t just rattle the doorknob to see if the door’s locked, they’ll break into that door.”

On Friday, Australian Federal Police Commissioner Reece Kershaw attributed the Medibank data breach to a “group of loosely affiliated cyber criminals” believed to be in Russia.

“These cyber criminals are operating like a business with affiliates and associates, who are supporting the business. We also believe some affiliates may be in other countries,” he said.

While Mr Kershaw did not name the group believed to behind the attack, Russian-based ransomware-as-a-service crime group REvil are suspected.

“We believe we know which individuals are responsible, but I will not be naming them,” he said.

“What I will say is that we will be holding talks with Russian law enforcement about these individuals.”

Do you know more? Contact James Riley via Email.

Leave a Comment