Ransomware is the biggest cyber threat facing businesses today, the national cyber agency has warned, as new statistics show the digital extortion method is now reported more than once a day in Australia.
The Australian Cyber Security Centre’s annual threat report released on Wednesday revealed 67,500 cybercrime reports to the government agency last financial year – a 15 per cent increase on the previous year.
Five hundred of them were ransomware incidents, according to the report, which categorised the type of attack as “the most serious cybercrime threat due to its high financial impact and disruptive impacts to victims and the wider community”.
The surge in attacks and accompanying warning follows criticism of the federal government’s response to ransomware, which Labor says is underdone, and experts warn is not helping smaller businesses enough.
Ransomware has been a significant issue this year, driven by a spate of high-profile attacks on Australian businesses and institutions.
In February, the opposition called for a national ransomware strategy, and assistant minister for cybersecurity Tim Watts in June introduced legislation which would introduce a mandatory reporting scheme for businesses intending to make a ransomware payment.
Mr Watts has said his bill would lay the foundation for enforcement action against groups, but it has not been brought on for debate by the government.
A recent report by the Australian Strategic Policy Institute warned a “policy vacuum” has made Australia an “attractive market” for hackers, and that ransomware will only get worse unless there are strategic domestic efforts to prevent it.
To tackle ransomware, the federal government established a cross-agency taskforce in July in an offensive move that saw a near-tripling of the AFP officers focusing on cybersecurity. It has also launched an awareness campaign, consulted with its business advisory group and has said it will work with international allies on the growing threat.
Following the ACSC report release, Assistant Minister for Defence Andrew Hastie said the government was addressing the growing cyber threat.
“The government is taking action, we have introduced legislations to ensure that in the event of a large-scale cyber attack on our critical infrastructure, our cyber and law enforcement agencies are empowered to provide greater and more immediate support to the victims,” Mr Hastie said.
“… our agencies will continue [to] undertake cyber offensive operations against those who would seek to do us harm.”
But Mr Watts said the report showed the government had failed to take meaningful action to prevent ransomware attacks on Australian organisations despite many warnings.
“[W]hile the Morrison Government never misses an opportunity for a dramatic press conference on cyber security, it’s missed every opportunity to take the basic actions needed to combat the urgent threat of ransomware despite growing warnings,” Mr Watts said.
“Instead, it’s simply blamed the victims, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.”
Shane Bell, a cyber security consultant and partner at McGrathNicol, said there is no doubt ransomware is the biggest cyber threat to Australian businesses.
“That’s because of the way … [ransomware is] being executed,” he told InnovationAus.
“It’s size agnostic, it’s sector agnostic, and it really relies on two things that are pretty easy for people to get or to execute: phishing attacks where I can harvest credentials and get access to an environment, or vulnerabilities.”
Mr Bell said criticisms of the government’s response to ransomware were warranted.
“As a practitioner in the industry, I think there’s some work to do at a top line level about what [Australia’s] position is on ransomware — what our framework is and what businesses need to do to be resilient,” Mr Bell told InnovationAus.
More could be done by the federal government to identify cyber risks and to assist businesses to mitigate them, said Mr Bell, who has helped in negotiations for ransomware demands well above $1 million.
“If I’m an organisation or business operating within Australia and I’m being told you need to be taking cyber seriously but it’s a bit of a choose your own adventure on the framework that you use and what you need to do, then that’s that can be pretty confusing.”
Do you know more? Contact James Riley via Email.