The Australian government is planning to introduce tougher criminal offences and penalties for ransomware crooks as well as a mandatory reporting regime for victims of ransomware attacks.
Home Affairs minister Karen Andrews today introduced a new “ransomware action plan” intended to “hit cybercrooks where it hurts most – their bank balances”.
Ransomware incidents in Australia jumped by 15 percent over the past year.
The plan – currently light on detail – will see new standalone aggravated criminal offences with harsh penalties introduced for all forms of cyber extortion as well as ransomware attacks that target critical infrastructure.
Dealing with stolen data that has been knowingly obtained illegally will also become a crime, as will buying or selling malware for use in cyber crimes.
The government also said it would update legislation to allow law enforcement to better track, seize or freeze cryptocurrency-based ransomware transactions.
And victims of ransomware with a turnover of more than $10 million will be required to report the incident to government under new additional legislation.
The mandatory reporting regime will allow government to “enhance our understanding of the threat and enable better support to victims”, Andrews said. Ransomware victims could be hit with civil penalties if they fail to comply.
The proposal comes after the Australian Signals Directorate revealed it had experienced difficulty on occasion getting co-operation from some large victims of ransomware.
ASD director-general Rachael Noble earlier this year said the agency had only discovered a ransomware attack of “national” significance through media reports, and subsequently struggled to gain information from the victim firm itself.
Transport giant Toll Group later outed itself as the entity ASD was referencing, but argued it had worked closely with the agency without any issues being raised at the time. Toll did however concede “we may not have responded at the pace the ASD may have expected due to the crises we were experiencing”.
The detail of the new reporting regime and criminal offence changes are yet to be revealed.
The changes add to proposed laws for critical infrastructure operators currently before parliament that would introduce minimum cyber security standards and allow government to intervene in active attacks. Many organisations are also already required to report data breaches impacting personal information to the OAIC.
Consultation will now be undertaken with relevant stakeholders on the mandatory reporting regime and new criminal offences, the government said.
The planned changes somewhat mimic a number of measures being undertaken by the US government to similarly disrupt the ransomware industry.
US President Joe Biden announced a four-pronged strategy to target ransomware actors in July, largely aimed at cracking down on their financial transactions, making US firms more resilient to hacking, and strengthening joint international efforts.
Last month it started to follow through on a pledge to sanction financial exchanges that facilitate ransomware payments. Bipartisan legislation to mandate that certain firms and federal agencies report cyber attacks to the US government is expected to be introduced imminently.
And later this month Biden will host officials from 30 countries as part of a Counter-Ransomware Initiative meeting that will look at how best to combat ransomware and other forms of cyber crime.
