Ransomware remains one of the most common forms of cyberattack, and it's particularly threatening because it can be incredibly effective.
Ransomware damage is expected to exceed $265 billion worldwide by 2031. These attacks can affect even the largest organizations. In July, a group of hackers disrupted the operation of more than 230 Indonesian government agencies and services by infecting critical systems at a national data center.
Why are organizations tempted to pay ransoms?
In theory, the threat of ransomware would be more of a costly nuisance than a catastrophe; the idea is that if you pay the ransom, the problem goes away.
The cost of paying a ransom is often modest compared to the cost of recovering or rebuilding systems. For example, the group behind the Indonesian data center attack was only demanding a relatively modest $12 million from the central government.
Research from McGrathNicol Advisory found that 73% of Australian organisations that suffered a ransomware attack in the past five years opted to pay the ransom.
According to Chainalysis, ransomware payments exceeded $1 billion worldwide last year for the first time. “Big game hunting,” where groups target large organizations and demand ransoms of more than $1 million, is on the rise. And affected organizations are often tempted to pay up.
Paying the ransom should not be the default decision, however. The Indonesian government, for example, has decided to refuse to pay the ransom. Meanwhile, Australia may soon make the payment illegal, meaning that about three-quarters of organisations need to plan a different way of dealing with the threat.
Why Australia will likely legislate to ban ransomware payments
The Australian government currently strongly recommends against paying for a ransomware attack, a recommendation that very few people heed.
“Making a ransomware payment does not guarantee that sensitive data will be recovered or prevent it from being sold or leaked online,” the government notes on the DFAT website. “You may also be the target of another attack. It also makes Australia a more attractive target for criminal groups.
“Making or facilitating a ransomware payment may breach Australian sanctions laws and result in criminal penalties where such payments are made to persons or entities subject to Australian autonomous sanctions laws.”
In 2022, the government floated the idea of going a step further and banning ransomware payments altogether. This raised concerns in the business community regarding the absolute nature of such a law, and in late 2023, the government quietly abandoned that plan in favor of introducing mandatory reporting requirements.
The decision was made in part to improve national understanding of ransomware attacks and cybercrime. The failure to report all ransomware incidents is “limiting our national understanding of their true impact on the economy,” the government noted, adding that a “mandatory, no-fault, no-liability” obligation to disclose these incidents would improve this understanding.
“Pending appropriate design, anonymous reports on ransomware and cyber extortion trends could be shared with industry and the wider community to help us take steps to build our national resilience against cybercrime,” the government said.
However, while it is not currently entirely illegal, organisations should understand that paying the ransom could constitute a punishable offence, as noted on the DFAT website. It could also amount to a money laundering offence, under the Australian Criminal Code Act 1995, if “there is a risk that the money may become an instrumentality of crime” and the organisation is “reckless” or “negligent as to the fact that the money or property is the proceeds of an indictable offence”.
Lawyers could legally defend themselves against these types of accusations, but the point is that with increased scrutiny and a desire to crack down on ransomware payments, organizations should look for alternative ways to handle ransomware payments.
How Australians should deal with ransomware attacks
Despite numerous high-profile cases of security breaches and successful ransomware attacks in Australia in recent years, preparedness remains low and organisations are still feeling pressure to pay the ransom.
As a priority, organizations need to ensure their IT and security teams are prepared. This means keeping systems up to date; regularly updating operating systems, software, and applications; and ensuring all endpoint devices are properly maintained and compliant with policies.
At the same time, the organization should develop a backup strategy that includes an air-gapped version to reduce the risk of backups being compromised by a successful ransomware attack.
Then, once the initial attack is addressed, enlist the help of a third party to conduct a thorough audit of the environment, determining if there are any ongoing issues and where any vulnerabilities lie.
The standard approach Australian businesses are taking to dealing with ransomware will not be viable indefinitely. While best practices for tackling ransomware are well known, few businesses appear to be acting with urgency to better prepare their environments, and that puts them increasingly at risk.
