Australia wants to ban ransomware payments
Grant Gross
Video Embed
The Australian government will consider a controversial step of outlawing ransomware payments in the wake of a handful of major breaches, according to the top cybersecurity official there.
Following recent data breaches at health insurer Medibank and telecom provider Optus, the Australian government will focus on new ways to fight ransomware and other cyber-based attacks, said Clare O’Neil, minister for home affairs and for cybersecurity. After Medibank refused to pay a ransom to recover its stolen data, cybercriminals began to release its customers’ health data, including information on women who sought abortions.
RETURN OF RUSSIAN RANSOMWARE GROUP REVIL
O’Neil also told ABC News of Australia that the government would set up a new cybersecurity task force to “hunt down” cybercriminals across the globe. The government will also look at prohibiting hacked organizations from paying ransomware groups.
O’Neil said she doesn’t trust ransomware gangs even after they are paid. “The idea that we’re going to trust these [cybercriminals] to delete data that they have taken off and may have copied a million times is just frankly silly,” she said.
However, the idea of banning ransomware payments was met with mixed reactions from cybersecurity professionals. Some said it could take away the profit incentives from cybercriminals, while others suggested it would result in more personal data leaked across the dark web.
Trusting ransomware gangs to delete data after they’ve been paid is foolish, said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, a provider of identity management services. In a survey of security professionals Venafi conducted last year, 18% said their data were still leaked after paying a ransom, and another 35% said they were unable to recover the stolen data after paying.
Therefore, there is evidence that a ban on ransomware payments will “make an impact,” he said. “Ultimately, if fewer companies pay, that’ll hit ransomware operators where it hurts — their wallets.”
A ban won’t stop cybercrime, but it may force some cybercriminal operations to “pivot” toward other schemes, he said. In addition, a ban may create incentives for organizations to protect their data better.
“If payments are illegal, then they no longer will be able to rely on paying to get their data back or have the safety blanket of cyber insurance to foot the bill,” he said. “Instead, they’ll have to prevent the attacks at the source and focus on making sure they’re secure.”
Other security professionals weren’t fans of the proposal. Some questioned how Australia would enforce such a law, with hacked companies having little incentive to report ransomware attacks publicly.
“If anything, payments to ransomware operators would most likely go under the table, and in the case of multinational organizations, they would simply move the payments elsewhere to an entity outside of Australia,” said Nigel Houghton, director of marketplace and ecosystem development at ThreatQuotient, a threat detection and response provider.
Decisions on whether to pay ransoms can be complex and involve a specialized team of professionals working with the hacked company to determine whether paying would be beneficial, Houghton added.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
“Banning ransomware payments is a ridiculous notion and does nothing to stop ransomware operators,” he said. “To remove that option would severely hamper the responses available to [the hacked company’s] team and will no doubt lead to far more serious consequences, especially the ability of a company to continue business operations.”
One fix won’t stop ransomware, he said. “There is no simple solution to the problem of ransomware, and since the internet is not governed by a single country, you cannot use laws to stop criminals,” he added. “They are criminals because they break laws. Legislation preventing ransom payments would make criminals out of victims.”