Over the last few years, the number of ransomware attacks globally has increased significantly. In 2020, the first death from a ransomware attack was recorded at a German hospital, with many other organizations crippled because of an attack. The Australian Cyber Security Centre (ACSC) has noted an increase in the number of attacks against Australian businesses and individuals. Already in 2021 there have been an unprecedented number of cyberattacks, prompting the labor opposition to introduce a bill that would mandate the reporting of ransom payments.
What is Ransomware?
Ransomware is a constantly evolving form of malware that renders the files on a device or system unusable by encrypting them. The files are only decrypted once a ransom is paid. Often the demand for ransom is accompanied by a threat to release information held in the files if the ransom is not paid.
It is estimated 33% of businesses subject to a ransomware attack pay the ransom, with the average payment being $1.25 million.
Ransomware Payments Bill 2021
Introduced as a private members bill, the proposed legislation would create a notification system whereby large organizations and government entities are required to notify the ACSC before making any ransom payment. Those reporting would also be required to disclose details about the attack, such as the attacker and their cryptocurrency wallet. This information would be shared by ACSC after having the identifying details removed.
The Ransomware Payments Bill is a direct response to several high-profile attacks that resulted in the payment of a ransom, including an attack against JBS Foods, which saw the company pay a $14 million ransom. Other affected organizations include UnitingCare Queensland and Nine Entertainment.
Why is Mandatory Reporting Important?
Mandatory reporting will provide a comprehensive picture of the scale of ransomware attacks in Australia. It is seen as key in mounting a defense to these attacks, as it will provide law enforcement and intelligence agencies with key data regarding where the money is going and enable it to be tracked. This will help in the long-run identify those responsible for the attacks.
The other aspect of mandatory reporting is private organizations and IT service providers will be able to use the information to develop systems and software to protect their data and files.
For the bill to become law it will require the support of the government, who Labor claims is missing in action when it comes to the threat from cyberattacks faced by Australian companies.
The bill, if passed, could provide the foundation for a coordinated approach to the problem. To date, the government has resisted Labor’s calls for mandatory reporting. However, there is increasing pressure from Australia’s spy agency for change following the recent refusal of a major company to work with the government when responding to a cyber attack, which may prompt a change of heart.