Australia wants to criminalize ransomware payments

midian182

Posts: 8,463   +104
Staff member
A hot potato: Authorities tend always to tell victims of cyberattacks not to pay the cybercriminals the ransom money as doing so is often fruitless, but it's sometimes the only option. In Australia, the government hopes to stop the practice and, in the process, discourage ransomware incidents by making these payments illegal.

Australia has recently been hit with two of the largest data breaches in history. First was the hack on telecom giant Optus that saw the personal information of nearly 2.1 million customers leaked, then came the attack on private health insurance provider Medibank that compromised the records of 9.7 million current and former customers.

The REvil-linked Russian hackers behind the Medibank attack have already released the records of more than one million people. They are threatening to release more unless they receive a ransom payment, which Medibank refuses to pay.

The incidents have led the Australian government to consider making ransom payments by cybercrime victims illegal. Australia's home affairs minister and Minister for Cybersecurity, Clare O'Neil, confirmed that the plans were part of a wider cyber strategy that includes 100 officers becoming part of a new joint standing operation against cybercrime.

Criminalizing the payment of ransoms to cyberattackers would likely see incidents decrease, but another expected result would be organizations failing to declare attacks and paying hackers secretly. Ransomware can encrypt every system in a business, so when owners face potential bankruptcy or breaking the law, some might decide that quietly paying the money is a better option.

The US has also considered banning all ransomware payments. The FBI advised congress not to take this action as it would lead to further extortion opportunities for criminals—I.e., threatening to report an organization for paying the ransom/not disclosing a hack.

Not revealing hacking incidents to the authorities, often due to the negative publicity they bring, is not a new phenomenon. Last month, Joe Sullivan, Uber's former chief security officer, was found guilty of charges relating to concealing a 2016 hack on the ride-hailing giant. He was charged with obstructing justice for not revealing the breach to the FTC. He was also found guilty of actively hiding a felony, or misprision.

Masthead: Andrey_Popov

Permalink to story.

 

ZedRM

Posts: 1,403   +977
How is this not already covered by several parts of Aussie criminal code? You folks don't need new laws. You need to more effectively enforce the ones you already have on your books.
 

neeyik

Posts: 2,406   +2,939
Staff member
How is this not already covered by several parts of Aussie criminal code? You folks don't need new laws. You need to more effectively enforce the ones you already have on your books.
It's partly down to the fact that paying for a ransom isn't illegal in Australia (UK too). There are grey areas in the laws concerning what the money handed over may be used for; for example, if someone willingly paid a ransom to an organization that has known terrorist links, both parties are open to prosecution.
 

nodfor

Posts: 333   +607
That alone won't help, if the fines for the failure to protect data remain high.
Now if said fines were to become more reasonable, maybe this approach could actually work
 

ZedRM

Posts: 1,403   +977
It's partly down to the fact that paying for a ransom isn't illegal in Australia (UK too). There are grey areas in the laws concerning what the money handed over may be used for; for example, if someone willingly paid a ransom to an organization that has known terrorist links, both parties are open to prosecution.
Yes, and you just proved my point. Such a situation is still covered by existing laws. Paying a ransom without government involvement is technically aiding and abetting a criminal act, which is itself already a crime.

The need for law enforcement involvement in every ransom situation follows legal statutes & guidelines. You then have a responsible entity making informed judgment calls. In that situation, if the ransom is paid, it is done with a digital trail that can be followed by said law enforcement and other authorities.

New laws are not needed. Effective enforcement of existing criminal code does the job. The efforts described in the above article are little more than political grandstanding aimed at showing the public that their leaders are doing something, when in reality they are doing little to nothing at all.
 

Burty117

Posts: 4,676   +3,029
I've seen some wild ransom payments here in the UK. Companies that refuse to pay for a decent backup solution, get hit with a Ransom attack because they didn't spend any money on IT, then pay £20k+ for access back to their data.

It's incredible.
 

neeyik

Posts: 2,406   +2,939
Staff member
Yes, and you just proved my point. Such a situation is still covered by existing laws. Paying a ransom without government involvement is technically aiding and abetting a criminal act, which is itself already a crime.
The laws only cover ransom payments in such cases where there's a clear risk that the funds will be used in other criminal activities or that the receiver of the funds is a known criminal organization/person. Paying a ransom to, for example, a random, lone person who created a ransomware script in their bedroom isn't illegal and even if a case was raised, it's unlikely to get far in the courts. The act of making the ransom demand is illegal, paying them isn't. The bill is being raised to change the law so that payments specific to ransomware, regardless of who did the attack, become criminal actions in themselves; the idea being that it will discourage companies from paying out.
 

Tantor

Posts: 388   +658
There's no evidence that the hackers have anything to do with Russia.

The notorious Russian Mafia operates worldwide, but is not headquartered in Russia. It's made up of people who left Russia after the collapse of the USSR. Many of them moved to Brighton Beach in New York. That's where they're headquartered, in New York.
https://www.justice.gov/usao-edny/p...anized-crime-syndicate-extradited-switzerland

Russia already eliminated the ReVIL hackers back in January. It was at the request of the US Government.
https://www.washingtonpost.com/world/2022/01/14/russia-hacker-revil/

Consider the possibility that these hackers are Ukrainians. The present Ukrainian government is widely regarded as one of the most corrupt in the world.
 

Hodor

Posts: 394   +283
This is not fair to non-governmental organizations. How will they now fill their budgets?
 

ZedRM

Posts: 1,403   +977
Paying a ransom to, for example, a random, lone person who created a ransomware script in their bedroom isn't illegal and even if a case was raised
That is where you are incorrect. The act of intruding on and encrypting the computer system of another person or entity is a high crime in Australia, and paying a ransom is considered in many legal circle as a form of aiding and abetting such a crime, especially when not reported in a timely manner.

The bill is being raised to change the law so that payments specific to ransomware, regardless of who did the attack, become criminal actions in themselves; the idea being that it will discourage companies from paying out.
This is understood. However, it is unneeded. Existing laws cover situations like that. They just need proper enforcement. Again, this is political grandstanding, little more.