Mandatory notice of ransomware payments: Is it a good idea?

There is no doubt that  ransomware attacks are amongst the most serious cyber threats to organisations worldwide. But is mandatory notification of ransomware payments likely to help?

In Australia on 21 June 2021, Labor’s Tim Watts introduced a private members’ bill to the House of Representatives: Ransomware Payments Bill 2021. If passed, the Bill will introduce a scheme requiring certain organisations to notify the Australian Cyber Security Centre (ACSC) if they make a ransomware payment.[1]

Background

Whether victims of ransomware attacks should pay the ransom has been much discussed, particularly following Colonial Pipeline’s much publicised decision to pay the attackers who had crippled their gas pipeline.

Paying ransomware is counter to conventional wisdom. The overwhelming advice from law enforcement, government agencies and official cybersecurity bodies such as the Australian Cyber Security Centre (ACSC) is not to pay the ransom.  Reasons include that it encourages criminals and there is no guarantee that the data will be returned.

Conversely, Forrester Research argue that paying ransomware should be viewed as a viable option and evaluated like any other business decision.

Paying ransomware certainly seems to be regarded as viable option  by many Australian businesses. In its 2020 Global Security Attitude Survey report, Crowdstrike found that two-thirds of Australian organisations had been targeted by ransomware attacks. Of these a third had paid the ransom.

It is this behaviour that Labor’s Bill is looking to address.

What does the mandatory notification of ransomware payments bill require?

The Bill would establish a mandatory reporting requirement for a wide range of entities including Commonwealth , state or territory agencies, and corporations. Small businesses, with an annual turnover of less than $10m, sole traders, unincorporated entities and charities will be exempt from the notification requirement.

Covered entities that make a ransomware payment must give written notice ‘as soon as practicable’ to the Australian Cyber Security Centre (ACSC). Although not entirely clear, it does seem that notice is to be given after payment.

The wording of the proposed relevant Clauses is included at the end of this blog post if you’re interested in checking the drafting of the requirement.

Information to be provided to the ACSC includes the organisation’s details, the details of the attacker and information about the attack to that extent that it is known. Information about the attack includes cryptocurrency wallet details, the amount of the payment, and indicators of compromise.

Failure to notify the ACSC attracts a penalty of up to AUD$222,000.

Purpose of mandatory notification?

The Bill’s  stated purpose is to ‘allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups.’ Information would also be used to inform Australian authorities and policymaking in the space.

The Explanatory Memorandum that supports the Bill provides that the ACSC will use the information it receives to:

• Share de-identified information to the private sector through the ACSC threat-sharing platform.
• Collect and share information that may be used by law enforcement.
• Collect and share information to inform policy making and to track the effectiveness of policy responses.

However, it’s possible that there’s an alternative purpose for the legislation, more focused on using mandatory notification as a way of deterring organisations from making ransomware payments. When talking about Labor’s ransomware strategy, Mr Watts indicated he would like Australian organisations to be less of a target: “If Australian organisations can develop a reputation for being less likely to pay ransoms than targets in other jurisdictions, the return on investment for targeting Australian organisations will fall and so too will targeted ransomware attacks against Australian organisations.”

In a subsequent interview, Mr Watts also refers to the benefits of ‘throwing sands in the wheels’ and slowing down the organisational decision making process in regard to whether or not to pay a ransom, suggesting that, with more time and thought, it’s more likely that an organisation will decide not to pay.[2]

It’s not clear how contributing to the development of a reputation for not-paying ransomware will be helpful to an organisation facing the almost insurmountable issues of getting its systems back on line following an attack.  It’s also unclear why a mandatory notification requirement is needed to meet the state policy outcomes which could perhaps be better supported by establishing stronger information sharing channels with the Australian community, more effective law enforcement involvement and other government led policy initiatives.

An alternative to prohibition of ransomware payments?

There have been some calls for outright bans on the payment of ransoms. Brett Callow, a cybersecurity expert at Emsisoft has argued that: “the only solution to the worsening ransomware problem is a complete prohibition on the payment of ransoms.” The former Director of the UK’s NCSC Ciaran, Martin has similarly commented that: “if I had one policy card to play in the next year, I would ask for a serious examination of whether we should change the law to make it illegal for organisations in the U.K. to pay ransoms in the case of ransomware.” Chris Krebs, the former Director of the US Cybersecurity and Infrastructure Security Agency noted in evidence to the US congress that: “The simple fact right now is ransomware is a business and business is good. It’s simply too easy for criminals to extract value and…it is primarily driven by the ubiquity of crypto currencies and the ability to anonymously transact illicit activities… Should it be legal to pay ransom? When you think about terrorism and the payment of ransom that is typically unlawful.”

There are however real trade-offs involved with taking such an approach.  Particularly where non payment of the ransomware would have a catastrophic impact on the targeted organisation.

Interestingly,  a similar moral dilemma exists in the pre-cyberworld in regard to whether to prohibit payment of ransoms to kidnappers. Governments don’t do it, but typically they haven’t criminalised it because there are often some difficult moral dilemmas if a person has been bodily kidnapped and their life is at risk.

Whether the same moral questions arise in relation to ransomware attacks is something that should be considered when deciding to implement a notification regime, a ban on payments or other responses.

Alternatives to notification of ransomware payments

There are other options that could also be considered in determining how to address the ransomware issue.

In its Discussion Paper, the Labor party identified a number of tools that could be used by government to address ransomware attacks on Australian targets, some of which involved Australian intelligence going on the offensive to signal to criminal groups that Australia will not put up with cyber attacks. Examples of alternative policy options include:

• a clear framework on offensive cyber operations against ransomware groups;
• closing the ‘cyber enforcement gap’ by increasing the number of international law enforcement actions against ransomware groups;
• sanctions targeting ransomware groups where enforcement isn’t possible;
• regulating the payment of ransoms and the cryptocurrencies that give these groups anonymity, and;
• strategies to help organisations lift their cyber defences.

Mr Watts is reported as saying: “Australia is at its best on the international stage when we’re bringing ideas and forming coalitions. We should be bringing together a bigger coalition of states making it clear this ransomware is putting an intolerable burden on the economies and societies of countries around the world.”[3]

Although it is acknowledged that none of the interventions identified in Labor’s discussion paper are silver bullets, they are policy options that the government could pursue so Australian organisations are not left to confront this challenge alone.

There are examples of other public and privacy initiatives which have shown real benefits in addressing the issue. One is the No More Ransom Project which has saved organizations nearly €1 billion in payments to ransomware operators. The project run as a partnership between government agencies (Europol and Politie, the Dutch national police organization) and vendors (initially Kaspersky and McAfee, now many more) and provides free help to individuals and businesses. In the five years it has been operating, the No More Ransom Project has helped millions of ransomware victims recover files after attacks.

The No More Ransom portal is available in 37 languages and offers more than 120 tools capable of decrypting more than 150 strains of ransomware. To obtain a decryption tool, ransomware victims upload two encrypted files and the ransom note to their Crypto Sheriff for a match. If matched, the decryptor includes detailed instructions for use. If not matched, users are advised to check again shortly as tools are being continuously added.

No More Ransom is seen as a great example of how public and private entities can work together to tackle cybercrime.

Conclusion

The world is now focused on ransomware, perhaps more so than any previous cybersecurity threat in history. But if some of the measures considered in this post are successful and the viability of ransomware as a criminal business model declines, then it should only be expected that those attackers will quickly embrace something else, such as illicitly mining for cryptocurrency.

And the question must be asked: why is this legislation being pursued, which may potentially harm many Australian organisations, without a concurring commitment to government led policy initiatives that could have a much greater and lasting impact on addressing cyber attacks of all kinds.

For more advice on how to ensure you’re not the victim of a ransomware attack, please see our earlier post: Ransomware: What can you do? – Privacy108 | Australian Data Privacy & Security Consulting

Proposed Ransomware Payment Bills 2021

Relevant notification clause:

• An entity that makes a ransomware payment must, as soon as practicable, give written notice of the payment to the Australian Cyber Security Centre in accordance with subsection (2).

Civil penalty:           1,000 penalty units.

(2)  The notice must set out:

(a)  the name and contact details of the entity; and

(b)  the identity of the attacker, or what information the entity knows about the identity of the attacker (including information about the purported identity of the attacker); and

(c)  a description of the ransomware attack, including:

(i)  the cryptocurrency wallet etc. to which the attacker demanded the ransomware payment be made; and

(ii)  the amount of the ransomware payment; and

(iii)  any indicators of compromise known to the entity.

Further References

Ransomware Payments Bill 2021 – Parliament of Australia (aph.gov.au)

[1] Labor introduces ransomware notification bill – InnovationAus

[2] CyberCX Cyber Dialogue

[3] Call for ransom reporting framework to tackle cyber criminals (afr.com)