Ransomware: report now, pay later
After the surge of discussion following the Colonial Pipeline cyber attack it is unsurprising that combatting cybercrime is high on the agenda. Most recently, Australia Home Affairs Minister Karen Andrews is considering a proposal put forward by the Labour party to mandate that ransomware victims report before paying any ransom.
The idea of mandatory notification is not new and has been recommended by a variety of international authorities. Citing the recent cyber attacks on JBS food, Nine Entertainment and Uniting Care Queensland, Shadow Assistant Minister for Cyber Security Tim Watts stated "It's time we saw some real action."
Watts put forward the private members bill, the 'Ransomware Payments Bill' earlier this week which aims to mandate that businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying any ransom demands. Watt's call to action was echoed in the explanatory memorandum citing suggestions that "the cost to the Australian economy of ransomware attacks in 2019 alone was in the order of $1 billion." The bill oddly defines "ransomware payments" in a way which is identical to "ransom" so we will stick with the traditional definition in our reporting.
If passed, the bill mandates notice be provided to ACSC as soon as practicable with details such as:
the identity of the attacker, or what information the entity knows about the identity of the attacker (including information about the purported identity of the attacker);
a description of the ransomware attack, including:
any payment methods for ransom sought, and if digital currency is involved, the wallet to which the attacker demanded the ransom be paid;
the amount of the ransom payment; and
any indicators of compromise known to the entity (which is defined as "technical evidence left by an attacker that indicates an attacker's identity or methods).
Failure to comply could lead to a civil penalty of 1,000 penalty units (currently $222,000), a steep fine when a business may already be reeling from a cyber attack.
The necessity to report first, act later draws similarities with the current mandatory data breach notification scheme which has been in place since early 2018. The similarities in existing policy in this area has gained favour with commentary that the bill will likely be rolled out soon. Watts further said that:
Such a scheme would be a policy foundation for a coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy and offensive cyber operations.
Innovation Australia reports that the Opposition has put this high on the list for debate when Parliament returns in August.
In the interim the ACSC recommends that businesses not pay ransoms as there is no guarantee payment will lead to affected devices being fixed. Payments may also make businesses more vulnerable to future attacks. The Australian Cyber Security Centre has published a ransomware Prevention and Protection Guide as well as an emergency response guide available here.
It is of course worth noting that for all the headlines about digital currency being involved in ransomware attacks, the US Department of Justice tracked and recovered (with the help of the FBI) a substantial portion of the ransom paid during the Colonial Pipeline attack, because digital currency on public blockchains is traceable.