Ransomware remains one of the most common forms of cyber attack — and it’s particularly threatening because it can be incredibly effective.
Globally, ransomware damage costs are predicted to exceed $265 billion by 2031. These attacks can affect even the largest of organisations. In July, a hacking group disrupted more than 230 of Indonesia’s government agencies and services by infecting critical systems at a national data centre.
Theoretically, the threat of ransomware would be more of a costly irritant than a catastrophe; the idea being that if you pay the ransom, the problem goes away.
The cost of paying a ransom can often be modest compared to the cost of recovering or rebuilding systems. For example, the group behind the Indonesian data centre attack was only demanding a relatively modest $12 million of the central government.
Research from McGrathNicol Advisory found that 73% of Australian organisations that experienced a ransomware attack in the past five years chose to pay the ransom.
Globally, ransomware payments exceeded $1 billion for the first time last year, according to Chainalysis. “Big game hunting,” where groups go after large organisations and demand ransoms of over $1 million, is on the rise. And affected organisations are often tempted to pay.
However, paying the ransom should not be the default decision. The Indonesian government, for example, decided to refuse to pay the ransom. Australia, meanwhile, may soon make it illegal to pay — meaning that roughly three-quarters of organisations need to plan for a different way to deal with the threat.
Currently, the Australian government strongly recommends against paying for a ransomware attack — a recommendation that too few heed.
“Making a ransomware payment does not guarantee sensitive data will be recovered nor prevent it from being sold or leaked online,” the government notes on the DFAT website. “You may also be targeted by another attack. It also makes Australia a more attractive target for criminal groups.
“Making or facilitating a ransomware payment may breach Australian sanctions laws and result in criminal penalties where such payments are made to persons or entities subject to Australian autonomous sanctions laws.”
In 2022, the government floated the idea of taking a step further and totally outlawing ransomware payments. This raised concerns from the business community regarding the absolute nature of such a law, and late in 2023 the government quietly dropped that plan in favor of introducing mandatory reporting requirements.
This decision was partly made to improve the national understanding of ransomware attacks and cybercrime. The underreporting of ransomware incidents is “limiting our national understanding of their true impact on the economy,” the government noted, adding that the “mandatory, no-fault, no-liability” obligation to disclose these incidents would improve this understanding.
“Pending design, anonymised reports of ransomware and cyber extortion trends could be shared with industry and the broader community to help us take steps to build our national resilience against cybercrime,” the government said.
However, while not outright illegal currently, organisations must understand that paying the ransom could constitute a sanctions offense, as noted on the DFAT website. It could also become a money laundering offence, according to the Australian Criminal Code Act 1995, if “there is a risk that the money will become an instrument of crime,” and the organisation is “reckless” or “negligent as to the fact that the money or property is proceeds of indictable crime.”
There would be legal defences against such charges that lawyers could argue. But the point is that with increased scrutiny and a desire to crack down on ransomware payments, organisations should be looking for alternative ways to handle ransomware payments.
Despite the many high-profile cases of breaches and successful ransomware attacks in Australia in recent years, preparedness is still low — and organisations are still feeling pressure to pay the ransom.
As a priority, organisations should ensure their IT and security teams are prepared. This involves keeping systems updated; regularly updating operating systems, software and applications; and ensuring that all endpoint devices are properly maintained and compliant with policies.
At the same time, the organisation should develop a backup strategy that includes an air-gapped version to reduce the risk of backups being compromised by a successful ransomware attack.
Then, once the initial attack has been addressed, enlist help from a third-party to conduct a thorough audit of the environment, determine whether ongoing issues exist and where vulnerabilities lie.
The standard approach to ransomware for Australian companies will not be viable indefinitely. While the best practice approach to handling ransomware is well-known, few companies seem to be moving with urgency to better prepare their environments—and that is putting them increasingly at risk.