The threat ransomware poses to Australian interests has grown sufficiently worrying that a new high-level government advisory paper on the subject attracted launch support from no less than federal Minister for Home Affairs Peter Dutton.
Designed as a how-to guide for businesses wanting to protect themselves from ransomware, the new guide—the first output from the recently formed Cyber Security Industry Advisory Committee (CSIAC) headed by Telstra CEO Andrew Penn—flags the confluence of a surge in phishing, ongoing poor cybersecurity within companies, and “growth in the proliferation of cryptocurrency which is hard to trace, making it ideal for ransomware demands.”
The rise of ransomware and double-extortion attacks
This perfect storm has put ransomware front and centre for companies of all sizes, Dutton noted, warning in releasing the paper that “cybercriminals continue to see Australian businesses as an attractive target and ransomware is a particularly disruptive form of cyberattack that can have devastating impacts.”
The CSIAC echoed these sentiments, noting that ransomware “has become one of the most immediate, highest-impact cyber threats to Australia”—with 61% of executives in a recent PwC survey saying they consider ransomware attacks likely in the next 12 months.
The CSIAC grew out of the federal government’s Cyber Security Strategy 2020, which was launched last year as an update to the 2016 strategy and has been allocated $1.7 billion to address 60 key recommendations that shaped the revised strategy.
“It is hard to imagine a more important piece of work,” Penn wrote when the committee was announced in October 2020, noting that “connected technologies are now right at the heart of the lives of most Australians and increasingly pivotal in shaping our economy, our society and our prospects for the future.”
Yet those prospects faced escalating challenges, he added, warning that “more abundant and better resourced cybercriminals and cyberactivists and increasingly sophisticated and emboldened state actors mean Australia is quite literally under constant cyberattack.”
Ransomware grew furiously during 2020 from an already-surging baseline, as cybercriminals took advantage of the COVID-19 pandemic’s disruption and rapidly embraced ‘double-extortion’ ransomware attacks in which companies refusing the pay ransom were met with additional threats to publish confidential company data online.
As major firms including Toll Holdings and Heat Group found to their dismay, double-extortion threats were often followed through—and they became much more common, with 40% of respondents to a recent VMware Security Business Unit survey flagged the technique as the most-observed new ransomware technique during 2020.
Australian companies following the guidance of the CSIAC, which recommends that they never pay ransomware criminals, suggests that the country’s business community has not yet seen its last major dump of sensitive data.
“This is not an isolated event,” VMWare Security Business Unit head of cybersecurity strategy Tom Kellermann said. “With COVID-19 catalysing digital transformation and a shift to cloud services, these sorts of attacks will only increase in frequency. Organizations have to realize that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.”
A framework for fighting ransomware
Such concerns permeate the CSIAC report, which emerged just weeks after opposition ministers Kristina Keneally and Tim Watts—deputy labor leader in the Senate and shadow assistant minister for cybersecurity, respectively, among other responsibilities—released a white paper calling for the Morrison government to formalise a national ransomware strategy.
The “combination of organisational innovation and international impunity has significantly increased the scale and severity of ransomware attacks over the past 12 months,” that report noted, warning that “the consensus amongst industry professionals is that the problem has become significantly worse since this analysis was done.”
Part of that escalation has come through the ongoing Hafnium https://www.csoonline.com/article/3610454/how-to-patch-exchange-server-for-the-hafnium-attack.htmlhas been chained with other vulnerabilities to facilitate new attack vectors including the dispersal of ransomware such as DearCry.
Government bodies have “a range of policy tools that only it can deploy” to clamp down on further ransomware attacks, the report noted, calling for a mechanism “designed to reduce the attractiveness of Australian targets in the eyes of cybercriminals. … It should pursue a range of initiatives designed to increase the costs of mounting campaigns against Australian organisations and to reduce the returns that are realised from such campaigns … to create the perception in the minds of attackers that Australian targets are not worth the effort.”
The CSIAC’s recommendations follow similar lines, offering companies guidance on a range of factors including the impact of weak controls, outdated software, and ‘strong foundational controls’; the legality of ransomware payments; the question of whether broader adoption of cyber insurance is increasing ransomware attack frequency; and, in a nod to increasing onus from ever-tighter governance measures, the role and obligations of directors and disclosure obligations placed on listed companies.
“Organisations cannot afford to be complacent,” the guide noted, offering numerous case studies from the ACSC’s recent investigation work and warning that continued acceleration of ransomware attacks at current rates will hit Australia’s GDP by $86 billion in net present value terms over the next decade.
“The good news,” Dutton said, “is that many ransomware attacks can be avoided by implementing basic cybersecurity controls, and I urge businesses to take the time to review the advisory committee’s advice.”