In a coordinated action with the US and UK governments, Australia has imposed targeted financial sanctions on Aleksandr Ermakov, a Russian citizen and alleged cybercriminal, for his role in the Medibank hack 18 months ago. This marks the first time that the Government has utilized new powers to deter and respond to malicious cyber activity since they were introduced in 2021.
The targeted sanctions make it a criminal offence, punishable by up to 10 years’ imprisonment and heavy fines, to provide assets to Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments. Ermakov will also be subject to a travel ban.
This announcement highlights the Government’s commitment in the 2023-2030 Australian Cyber Security Strategy to deter and respond to malicious cyber activity, including through the use of sanctions. The coordinated action between Australia, the US and the UK follows recent actions targeting Hamas' fundraising networks, including cryptocurrency exchanges.
In its announcement, the US Office of Foreign Assets Control stated:
Australia sanctioned Ermakov for utilizing ransomware to attack the Medibank network and for the exfiltration of sensitive data of 9.7 million users of Medibank services. Today, the United States and the United Kingdom, in solidarity with Australia, are taking action against the same individual because of the similar risk presented by this actor to the United States and the UK.
Australia has sanctioned Ermakov under new powers in the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Act 2021 (Cth) which enable it to deploy targeted sanctions based on certain thematics, including weapons proliferation, serious human rights abuses and malicious cyber activity. Sanctions can be applied targeting sanctionable conduct wherever it occurs globally.
Under this regime, the Minister for Foreign Affairs may designate a person or entity for targeted financial sanctions and impose travel bans if the Minister is satisfied the person or entity:
has caused, or attempted to cause, a significant cyber incident;
has assisted with causing, or with attempting to cause, a significant cyber incident; or
has otherwise been complicit in causing, or in attempting to cause, a significant cyber incident.
A 'cyber incident' is a cyber-enabled event (or a group of related cyber events) that results in, or seeks to cause, harm to Australia or another country or countries. This may include events that result in harm to individuals, businesses, economies or governments.
The coordinated sanctions against Ermakov will restrict his ability to continue to profit from ransomware attacks by prohibiting ransomware payments to him or on his behalf. The Minister's announcement stated:
The Australian Government discourages businesses and individuals from paying ransoms or extortion claims to cyber criminals.
Minister for Home Affairs and Minister for Cyber Security, the Hon Clare O’Neil MP said:
Our strong advice to businesses is never pay the ransom. Paying a ransom does not guarantee sensitive data will be recovered, prevent it from being sold or leaked online or prevent further attacks. It also makes Australia a more attractive target for criminal groups.
There are a number of legal issues to consider in responding to a ransomware attack, including disclosure and sanctions obligations and potential legal claims. Where faced with a ransom demand, it is important to carefully consider all factors including the risk of breaching sanctions laws. Given these risks, it is important to seek professional advice from cyber experts and lawyers with experience in dealing with cyber attacks in responding to any cyber incident.
By S Pettigrove and J Huang