Ransomware – Show me the money: should we or shouldn't we19 November 2021
Every 11 seconds, there is a ransomware attack on businesses globally with losses reaching up to US$20 billion. Data breaches and cyber-attacks are predicted to remain the number one threat through to 2024. Home Affairs Australia reported the annual cost of cyber-attacks on the Australian economy to be $29 million. In just the last year or so, there has been an increase of 15% in cybercrime reported to the Australian Cyber Security Centre (ACSC).
As we move into a more digital reliant world, ransomware attacks have increased and will continue to do so. Cybercriminals have been conducting high profile attacks on critical infrastructure globally with 44 cyber-attack incidents in Australia alone in just the last year.
This article discusses the impact that ransomware attacks have had on the market globally, current trends and the legislative framework introduced in Australia as a result.
What is ransomware?
The starting point is to understand what ransomware is. This is a type of malicious software (malware) that cybercriminals use to block access to files or devices by encrypting and holding the information hostage to extort ransom payments. Cybercriminals have not only threatened businesses by preventing access to data owned by them, but they have also threatened to publish the data online to “blackmail” organisations into paying ransom payments. It is crucial for organisations to remain vigilant and have a plan in place as ransomware can not only be damaging financially but it can also cause reputational damage and expose the organisation to potential litigation. In fact, 20% of organisation data breaches have resulted in actual or threatened litigation claims when they notified data subjects of the breach.
Global response to ransomware
We have seen different responses to ransomware globally resulting in different outcomes. A major Australian transportation and logistics company suffered a cyber-attack in 2020 and chose not to engage or pay the hackers a ransom payment as it believed doing so would only encourage the attackers. It is now believed that the stolen data may be published on the dark web. On the other hand, in the US, a high-profile attack was carried out on the largest fuel pipeline, which led Colonial Pipeline to pay 75 bitcoins equivalent to nearly US$5 million to the cybercriminals to restore the pipeline. Paying ransomware in cryptocurrency allows the attacker to remain free and untraceable. To avoid detection, the attackers ensured that the targeted business was not in a region on the sanction list.
Due to the severity and the increasing number of ransomware incidents, governments worldwide have created strategy plans and introduced new reforms and legislation to govern ransomware and combat cybercriminals to mitigate huge revenue losses on economies. The ACSC was introduced in November 2014 following the introduction of the European Cybercrime Centre in 2013. Both Centres were established to strengthen the enforcement response to cybercrime to protect citizens, businesses and governments from cyber criminals and ransomware.
In Australia, it is not prohibited to pay ransomware demands, however the government does not condone it as there is a risk that it may be tied to sanctioned entities—making it illegal. Under schedule 1 of the Criminal Code Act 1995 (Cth) and Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), it is an offence to deal with money or other property if there is a risk that it may become an instrument of crime. Australia has an Autonomous Sanctions Act 2011 and similarly, the UK introduced the Sanctions and Anti-Money Laundering Act 2018, which provides a sanctioned list of people, entities and ships that bans making funds available to them.
Under s 15 and 17 of the Terrorism Act 2000 [United Kingdom of Great Britain and Northern Ireland], 2000 Chapter 11, 20 July 2000, it provides that payors could be prosecuted if the ransomware is linked to terrorism and could be imprisoned for a term between six months to 14 years, fined or both. The US Treasury Department has also followed Australia and the UK and introduced ransomware operators to its list of sanctioned entities, making the payment of ransomware to these entities illegal.
In a further attempt to deal with the increasing number of ransomware attacks, Australia has recently introduced the Ransomware Payments Bill 2021 (Cth) (the Bill) in June 2021. If the Bill is passed, it would require Commonwealth, state or territory entities and corporations to report ransomware payments paid to the ACSC or incur fines up to $222,000. If the Bill becomes law, entities are required to provide the ASCS with a written notice including the entity’s name and contact details, identity of the attacker or any relevant information about the attacker and a description of the ransomware attack. This includes the cryptocurrency wallet to which the ransomware payment was made to, the payment amount and any indicators of compromise known to the entity as soon as practicable. The second reading of the Bill was introduced and moved, with no proposed amendments circulated to date. We will track the progress of the Bill and keep you updated.
Similarly, the US has taken Australia’s approach and has introduced the Ransom Disclosure Act in October 2021, which requires local governments and entities to report ransomware payments within 48 hours to the Department of Homeland Security. It is not made clear what type of penalties may apply for noncompliance; however, it is mentioned that the Department is to establish appropriate penalties. In comparison, the UK has not introduced new legislation to directly deal with ransomware; however, they established the National Cyber Security Centre (NCSC) in October 2016 following Australia, which allows organisations and individuals to report ransomware payments and cyber-attacks. Although, the NCSC does not oblige entities to report ransomware payments.
Overall, paying cybercriminals is not illegal, however, there is a global uniform approach that does not condone organisations and individuals to engage in ransomware due to the risks involved. There is no guarantee that organisations will regain access to data and that the data won’t be published online. There is no surety when dealing with cybercriminals and there is no guarantee that the ransomware paid to the attackers won’t be linked to a sanctioned entity or country.
The Colonial Pipeline cyber-attack provides a perfect example. Cybercriminals are always one step ahead of us. Not to mention, paying ransomware encourages cybercriminals and makes organisations more vulnerable to future ransom payment demands. Eight per cent of businesses suffer another attack after paying the ransom demanded and 46% believe that it is the same attacker.
The impact on insurance coverage and premiums
In the current global environment, cyber premium rates continue to rise as insurers seek to cover ransomware losses. Ransomware accounts for more than half of insurer losses and therefore, insurers have begun requesting evidence to prove that the insured’s security controls are available and suitable. Cyber insurance premiums have increased 27% just from April to May 2021 when compared to last year. There was a 400% rise from the first quarter of 2018 to December last year.
Premiums have also continued to rise this year as policies still respond to first-party and third-party losses. There has been a 35% increase in the first quarter and 40-50% in the second quarter. Similarly, premium rates in the US have increased 96% due to regularity of ransomware claims. In due course, we will be seeing an evolution of wording and coverage in Cyber Insurance and insurers need to be aware of notification obligations. If the Bill is passed in Australia, there will also be an additional obligation to report ransomware payments to the ACSC as soon as practicable or a civil penalty of 1,000 penalty units will apply for failure to notify.
Protecting yourself against a cyber-attack and ransomware
It is evident that ransomware and cyber-attacks are a global threat that is growing by the minute. Cybercriminals do not discriminate; they conduct cyber-attacks as it is an easy and lucrative earning mechanism. They attack every organisation including small businesses to high profile critical infrastructure and everything in between. You may ask, is the global uniform approach to not condone ransom payments successful?
In our view, every case should be dealt on its own merit, but we cannot ignore that there are risks no matter what action is taken. In saying that, it is best to avoid paying ransomware (if possible) to protect yourself from incurring penalties or dealing with repercussions. There is no way to know where the attacker is based or if they are connected to sanctioned entities or terrorist groups the payee will have liabilities imposed directly upon it. Further, there is no guarantee that organisations will regain access to systems and that the data won’t be leaked regardless.
Precautionary steps are important to minimise the impact of a cyber-attack:
Remaining cautious and informed about cyber-attacks and current trends can help.
Update devices/systems, use multifactor authentication and perform regular backups.
If there has been a cyber-attack, organisations can carry on its business without delay and won’t need to engage in ransomware payments.
Prepare a cyber-attack emergency plan by knowing the data carried as ransomware attacks need to be dealt with immediately. Not to mention, it is just as important to provide training to employees on how to stay alert, identify unsafe and/or suspicious websites, files and emails.
Seventy-three per cent of employees are making mistakes due to COVID-19 lockdown’s impact on their mental health and working in distracting environments. Cyber-attacks and ransomware not only impact the organisations finances, reputation and credibility, but it may also increase litigation risk. Further, part of the holistic approach is having the appropriate insurance cover and team to best mitigate any losses that may arise from ransomware. Collectively, these measures will aid in responding to ransomware. Remember, prevention is better than cure and while cyber-attacks are inevitable, the aim is to lower the impact an attack has on everyone.