Australia’s Ransomware Action Plan latest salvo in war on cybercriminals

The federal government is ready to name hostile nation-states as it criminalises cyberextortion, mandates ransomware reporting, and tracks cryptocurrency ransoms.

australia military shutterstock 1519594076
Bumble Dee/Shutterstock

Australian businesses will be required to report ransomware attacks under the new Ransomware Action Plan (RAP), which will also see the Commonwealth government “actively calling out” hostile nation-states and imposing a range of new penalties including a new offence of ‘cyberextortion’ and criminalisation of the buying and selling of malware.

Australia’s escalating war on cybercriminals

Its introduction is the latest in an escalating crackdown on cybercriminals that emerged from the passage of the government’s proactive Cyber Security Strategy 2020, and more recently drove the July 2021announcement of Operation Orcus, an Australian Federal Police (AFP)-led task force that will see a 35-strong AFP and Australian Cyber Security Centre (ACSC) partnership to directly target ransomware criminals.

Australia’s relative wealth, high levels of online connectivity, and increasing online service delivery make the country “very attractive and profitable for transnational, organised cybercrime syndicates to target”, the report notes, warning that “ransomware and cyberextortion remain the most serious cybercrime threat facing Australia due to the high financial and disruptive impacts to victims and the wider community.”

With the ACSC reporting a 15% increase in reported ransomware attacks and nearly 500 ransomware attacks against Australian companies logged in the past year alone, the crackdown on ransomware, Andrews said, reflects a conscious decision to “take a decisive stance” against the practice with “a zero tolerance approach to ransomware”.

“We need to ensure that Australia remains an unattractive target for criminals and hostile place for them to operate,” she said.

Security researchers have been sounding alarms about the escalating climate of ransomware attacks, with Mandiant this month calling out ransomware gang FIN12—which has “aggressively pursued” healthcare targets in Australia and elsewhere and gives victims just 2.5 days to pay the ransom, half as long as the industry average.

It was not immediately clear whether the new powers are directly related to the government’s efforts to push new investigative powers through Parliament before it rises for the Christmas break, with a parliamentary committee recently recommending significant critical infrastructure protection legislation be split to fast-track passage of powers to counter a “serious, considerable, and increasing” threat of “cyber-enabled attack and manipulation of critical infrastructure assets”.

RAP in summary

The new plan—which will be refined with input from industry and community stakeholders—will introduce new standalone aggravated offences for all forms of cyberextortion and attempts to target critical infrastructure, as well as criminalising the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence.

The proposed legislation will also criminalise the buying or selling of malware for the purposes of undertaking computer crimes—a direct shot at fast-growing ransomware-as-a-service (RaaS) operators like REvil, which has extracted millions from major ransomware victims includingremote-management provider Kaseya, gas distributor Colonial Pipeline, and meat processor JBS.

“Ransomware gangs have attacked businesses, individuals, and critical infrastructure right across the country,” Home Affairs Minister Karen Andrews said in introducing the RAP. “Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.

Any ransomware payment, small or large, fuels the ransomware business model, putting other Australians at risk. Our tough new laws will target this online criminality and hit cybercrooks where it hurts most: their bank balances.”

The RAP includes several changes to modernise proceeds-of-crime legislation, as well as helping law-enforcement organisations track and freeze cryptocurrency payments made to cybercriminals.

Among the many initiatives outlined in the RAP are a range of joint operations with international counterparts “to strengthen shared capabilities” in detecting and disrupting malicious cyber actors—reflecting the government’s June declaration of solidarity with G7 countries’ commitment to fight ransomware.

The government also telegraphed proactive efforts to tackle cryptocurrency transactions associated with ransomware payments, and indicated that it would be “actively calling out states who support or provide safe havens to cybercriminals”.

This last policy is a marked escalation from more-circumspect government policies under which senior figures have generally stopped short of blaming a specific country for cybercriminal activity—such as when Prime Minister Scott Morrison carefully watched his words when he last year announced that Australian organisations were being targeted by a “sophisticated” cyberattack.

The RAP also highlights planned collaboration with states and territories to update the 2013 National Plan to Combat Cybercrime—an effort to introduce a consistent regulatory regime for this new breed of data-related crimes.

Australia’s security industry reacts to RAP

Early responses from security industry figures were broadly supportive of the move, with Kaspersky Australia ANZ general manager Margrith Appleby welcoming increased penalties for cybercriminals and agreeing that “there is absolutely a place for government support in the fight against ransomware.”

The RAP’s proposed mandating of ransomware reporting—it has recommended a cutoff of $10 million or more annual turnover before businesses must participate—may need to be re-examined, Appleby said, to ensure that small but critical infrastructure organisations aren’t exempted.

“If an industrial or supply chain organisation is attacked,” she said, “it can have an enormous impact on our essential services.”

KnowBe4 security awareness advocate Jacqueline Jayne called mandatory reporting of ransomware attacks “a move in the right direction”, welcoming “more visibility and transparency to encourage more conversations about the impact and ferocity of ransomware attacks or near misses. … Data can be used as a learning opportunity.”

Palo Alto Networks ANZ head of government affairs and public policy Sarah Sloan welcomed the new plan, noting that “it is important that national policies pursue a multi-pronged approach to combat ransomware, which is focused on helping organisations not just respond to ransomware attacks but also to help them better prepare for and prevent these attacks.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline