Australia to consider banning ransomware payments

Australia will consider banning ransomware payments in a bid to undermine the cybercriminal business model, a government minister said on Sunday.

Clare O’Neil, the minister for home affairs and cybersecurity, confirmed to Australia’s public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government’s cyber strategy.

The announcement follows several large security incidents affecting the country, including most significantly the data breach of Medibank, one of the country’s largest health insurance providers.

Earlier this month Medibank stated it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad.

All of the data which the criminals accessed “could have been taken,” the company said. This includes sensitive health care claims data for around 480,000 individuals, including information about drug addiction treatments and abortions.

O’Neil’s interview followed the AFP’s commissioner Reece Kershaw announcing that they had identified the individual perpetrators of the Medibank hack, and that a group based in Russia was to blame.

Similar proposals to ban ransomware payments have been floated internationally to deal with the growing threat of cyber extortion, but there are concerns that doing so could be unsuccessful.

Criminalizing extortion payments could push visibility of attacks further underground by forcing companies to keep quiet about incidents to avoid regulatory scrutiny. It could also provide the ransomware gangs with another lever to extort their victims — if a company does pay a demand to save the business, the hackers could potentially demand a second extortion payment to keep the first one quiet.

In most current cases, making ransomware payments is not a criminal offense. However, some hacking groups have been sanctioned by the U.S. Treasury’s Office of Foreign Assets Control, meaning that payments to them could be a crime.

‘Hunt down the scumbags’

The minister’s comments came a day after she announced a new permanent joint standing operation between the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) — the country’s cyber and signals intelligence agency — to tackle cybercrime.

The new initiative would see 100 offices work “day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people,” according to O’Neil.

She confirmed that the standing operation will be "offensively attacking" the groups responsible for ransomware incidents and said they wouldn't be waiting "for a crime to be committed" before trying to “understand who it is and do something to the people who are responsible. We are offensively going to find these people, hunt them down, and debilitate them before they can attack our country."

In a government statement announcing the operation, the Australians said it would “investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups,” prioritizing groups “based on the harm they can cause and the threat to our national interests.”

It follows a coalition of government cybersecurity leaders from nearly 40 countries earlier this month reaffirming their plans to work together to stamp out ransomware attacks.

The initiative will establish a voluntary International Counter Ransomware Task Force, helmed by Australia’s government, to boost information sharing about threats and track the finances of ransomware gangs, according to a fact sheet that accompanied the joint statement.