The Australian federal government suggests making ransomware payments illegal to decrease the profitability of data breaches for criminal organisations including cyber criminals and ransomware gangs.
Over the weekend Minister for cyber security Clare O’Neil announced the government is considering banning ransomware payments in response to the Medibank data breach.
According to the Australian Federal Police (AFP), the group behind the hack has been linked to Russian cyber-criminals with connections to the REvil cyber gang, which Russia’s Federal Security Service allegedly dismantled earlier this year.
The hacking group behind the latest Medibank data breach is currently being called “BlogXX”
The Australian government is taking steps to improve its cybersecurity, including establishing a task force to retaliate against the Medibank hackers.
In less than two months, we’ve experienced two of Australia’s biggest personal data breaches, first Optus and then Medibank. In both cases, the hackers attempted and failed to extort a ransom in exchange for not releasing personal data.
However, in contrast to the Optus and Medibank data breaches, many organisations are paying ransoms to decrypt their computers. In some ransomware attacks, hackers encrypt all of a company’s data, computers, and backups, making it impossible to recover those files.
Problems arising with a ban a ransomware payments.
When organisations are prohibited from paying ransom, there is a chance they may still pay. They may want to continue operating, even if it is against the law. This would decrease transparency of breach reporting and lead to hackers blackmailing victims to keep their hacks secret, resulting in less victim notification.
An effective ban on ransom payments would require penalties for paying the ransom to be more severe than the impact of the ransom itself. Inadequate penalties would cause organisations to pay the ransom and deal with the legal consequences in order to get back to regular operations.
When a ransom payment ban works.
A ban on making ransom payment demands could quickly reduce the profits gained by criminal gangs who target Australia.
In the case of the Optus and Medibank data breaches, the ransom demanded was to “not leak” sensitive information therefore placing a ban ransom payments could be a good idea.
Proposed task force said to be insufficient protection against ransomware attacks
Managing CISO at Barrier Networks, Jordan Schroeder says the idea of a newe task force is insufficient to ensure protection against ransomware attacks in Australia.
“The Medibank data breach took Australia by storm and the government is analyzing how to handle future cyber incidents. However, quick, isolated responses will only make the situation worse.”
“Making ransom payments illegal in one jurisdiction could push the payment of ransomware underground, which will hide these crimes and make coordinated responses with law enforcement difficult.” says Schroeder
Alternative solutions.
Ransomware payments can often be fully covered by cyberinsurance policies. Because ransomware criminals usually demand an amount equal to what the firm would receive from the insurance company, the organisation suffers less losses. However, the criminals still profit.
Prime Minister Anthony Albanese has previously said the government it is doing all it can to limit the 2022 Medibank data breach’s impact, and that Medibank and the government are working together to provide assistance to concerned customers.
