New Australian bill would force companies to disclose ransomware payments
Australian lawmakers have filed on Monday a new bill that would mandate that local companies inform the Australian Cyber Security Centre (ACSC) of their intention to pay a ransomware gang.
The Ransomware Payments Bill 2021 was put forward today by Tim Watts, Australia's Shadow Assistant Minister for Cyber Security, and comes after Australian companies have seen an increased number of ransomware attacks over the past year, including high-profile attacks on multiple hospitals, Australian TV station Channel 9, beverage giant Lion, logistics giant Toll Group, and others.
"The cost of ransomware to the Australian economy is in the order of $1 billion and recent figures showing a 200 per cent increase in reported ransomware attacks on Australian organisations," a spokesperson for Mr. Watts said in a press release.
By enforcing a mandatory ransomware payment notification scheme, the Australian politician hopes to provide more accurate and actionable data to the ACSC, the country's top cyber-security agency, and other law enforcement agencies in order to assess and better understand the phenomenon.
A scheme where victims are mandated to report ransomware attacks and payments to local law enforcement agencies was also one of a broad set of recommendations sent to the Biden administration by the non-profit group the Ransomware Task Force earlier this year, as part of a broad lobbying effort to get US officials to crack down on ransomware gangs.
The Australian bill filed today is another sign that governments around the world are getting closer to their breaking points when it comes to dealing with ransomware gangs and the destructive fallouts of their attacks.
After a series of attacks in France, the French government put pressure on local insurance company Axxa to stop covering ransomware payments on behalf of their French customers.
While not yet official, similar efforts are also underway in Britain, where the Johnson administration is allegedly considering a ban on insurance companies covering/reimbursing ransomware payments, a move the UK government believes would push organizations into investing in actual security measures rather than paying for insurance.
Furthermore, there's also movement in the US where lawmakers in four states are currently considering bills that would ban organizations from paying ransomware demands in some situations, efforts spotted last week by law firm Alston & Bird.
| State | Bill | Description |
|---|---|---|
| New York | NY S 6806 | Prohibits business entities, healthcare entities, governmental entities state, from paying a ransom. |
| North Carolina | NC H 813 | Prohibit state agencies and local government entities from paying a ransom demand and even engaging with the attacks. |
| Pennsylvania | PA S 726 | Prohibits the use of taxpayer money for ransomware payments. |
| Texas | TX 3892 | Prohibits local governments from making ransomware payments and would require victims to report the incident to local state officials. |
“Do not pay” is for ransomware what “do not click” is for phishing. Sounds like great advice, but falls apart in a real world model.
— Runa Sandvik (@runasand) June 20, 2021
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.