Australia To Consider Banning Ransomware Payments (therecord.media) 86
Australia will consider banning ransomware payments in a bid to undermine the cybercriminal business model, a government minister said on Sunday. From a report: Clare O'Neil, the minister for home affairs and cybersecurity, confirmed to Australia's public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government's cyber strategy. The announcement follows several large security incidents affecting the country, including most significantly the data breach of Medibank, one of the country's largest health insurance providers.
Earlier this month Medibank stated it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad. All of the data which the criminals accessed "could have been taken," the company said. This includes sensitive health care claims data for around 480,000 individuals, including information about drug addiction treatments and abortions. O'Neil's interview followed the AFP's commissioner Reece Kershaw announcing that they had identified the individual perpetrators of the Medibank hack, and that a group based in Russia was to blame. Further reading: After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences.
Earlier this month Medibank stated it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad. All of the data which the criminals accessed "could have been taken," the company said. This includes sensitive health care claims data for around 480,000 individuals, including information about drug addiction treatments and abortions. O'Neil's interview followed the AFP's commissioner Reece Kershaw announcing that they had identified the individual perpetrators of the Medibank hack, and that a group based in Russia was to blame. Further reading: After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences.
so send victims to jail / prison? if they pay? (Score:3, Insightful)
so send victims to jail / prison? if they pay? or will they just force them to stay in Australia
Re: so send victims to jail / prison? if they pay? (Score:1)
Re: so send victims to jail / prison? if they pay? (Score:5, Interesting)
But, companies will pay to recover their data, because that data is more valuable than the cost of the payment to that company.
Not only that, but that will incentivize companies not to report their breaches and this will drive everything underground.
And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely, because now they will be risking jail time for having paid the ransom in the first place.
Re: so send victims to jail / prison? if they pay? (Score:4, Interesting)
>And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely, because now they will be risking jail time for having paid the ransom in the first place.
This is clearly, then, incentive not to pay for ransoms and to pay more for security.
As you said, if they pay a ransom, now it's *criminal* jail time for the CEO, CTO, CIO, CFO, CSO, etc. instead of just money.
Expect more insurance policies to be written in Australia if this goes through.
Re: (Score:2)
Most of it is already underground, the ransomware payments that are publicly known are just the tip of the iceberg. Executives sometimes even pay off fake ransomware threats.
Re: so send victims to jail / prison? if they pay? (Score:4, Interesting)
As an alternative, fine companies a fraction of the ransom amount. This increases the value of cybersecurity. Attach jail time for failing to report paying a ransom. Reporting discourages ransom attempts and also makes the breach public, increasing the value of cybersecurity. If you are the CIO, how much personal jail time would you risk to hide a breach?
Re: so send victims to jail / prison? if they pay? (Score:4, Interesting)
I'd imagine what will really happen is that the breached company will pay a "data recovery service" in a foreign country to get the data back for them, and they'll end up paying the ransom.
Re: (Score:1, Informative)
You're saying we shouldn't outlaw murder because criminals will just hide the bodies. Sofa king retar dead.
You can't hide ransom payments. That's why we have auditors and financial statements and prosecutors. Follow the money. If there's a money trail, the feds can find it.
Ok smart guy, you're gonna play shell games hiding ransom payments in non-existent accounts? Congratula
Re: (Score:2)
And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely, because now they will be risking jail time for having paid the ransom in the first place.
That is a feature, not a bug.
Re: so send victims to jail / prison? if they pay? (Score:5, Insightful)
Not only that, but that will incentivize companies not to report their breaches and this will drive everything underground.
It's not easy to drive a large scale extortion underground, especially when the attackers are normally quite public about their intentions.
Mind you there are laws in place for failure to disclose. Heaping one illegal activity on another doesn't work too well. Remember, there's no major punishment for fucking up in this scenario, only for failure to disclose and from the looks of things they are going for law against payment as well.
This is a good thing. Companies should not consider paying criminals a cost of doing business.
And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely
What's to say that doesn't happen anyway? Honour of criminals tell them not to hit the same willing to pay target twice? The blackmail scenario has nothing to do with whether you pay or not. Criminals hold power over their victims one way or another. Someone was already in your network.
Re: (Score:2)
Not only that, but that will incentivize companies not to report their breaches and this will drive everything underground.
Exceptionally unlikely. First, far too many people will know about it. Second, the company needs to buy the crypto-currency to pay and an accountant that covers for that already faces personal punishment.
This is exactly the right approach. Too many companies think they can save money by using shoddy IT security practices. These people must be stopped because they create the opportunity for the attack in the first place. Making ransom payments a criminal act is a good way to do this.
Re: (Score:2, Insightful)
Clearly the hope is to get companies to take this into consideration ahead of time.
Right now, they may think they just need to set aside some Bitcoin to prepare for the possibility of getting hit by ransomware.
Re: (Score:2)
I half agree with this, I get where it is coming from. Remove the incentive structure. But, companies will pay to recover their data, because that data is more valuable than the cost of the payment to that company.
I agree that this may backfire in multiple ways. At the same time, I am curious how many of the breaches, especially at larger business were helped by cutting or not have a security budget.
First rule in security should be: no security infallible, so you security is never a done deal. Just like castles of the past, walls only do so much and there is a reason you pay to have soldiers on those walls.
Re: (Score:3)
I half agree with this, I get where it is coming from. Remove the incentive structure. But, companies will pay to recover their data, because that data is more valuable than the cost of the payment to that company.
No recovery necessary. The Data was copied and most companies have data recovery in place for the old method of encrypting data and demanding a ransom. This is why companies which hold personal data are attacked. The release of that data is detrimental to the customers in Medicare's case drug addiction and mental health issues have been exposed as samples. Imagine if your health records or those you care about were exposed. In the case of Optus (telecommunications) they kept personal data for identification
Re: (Score:3, Funny)
Re: (Score:2)
You don't send them to jail you fine them more money than they saved by skimping on security.
So, in cases (which are all too common) where the encrypted data is vital to the survival of the company, and they will go out of business (putting everyone out of work) if they don't recover it, your idea is to find them so much they go out of business (putting everyone out of work).
And you don't think that will have any unintended consequences?
Re: (Score:2)
The intended consequence is to get companies to protect themselves against damage from ransomware, instead of hoping they can ransom their data.
Obviously the most important thing is good backups.
Re: (Score:3)
The intended consequence is to get companies to protect themselves against damage from ransomware, instead of hoping they can ransom their data.
This is a poor way to do that.
Re: (Score:2)
Precisely. Companies that don't keep proper backups aren't going to suddenly start doing so if this passes, they're just going to hide the breaches. They're too stupid and incompetent to do otherwise.
Re: (Score:2)
Precisely. Companies that don't keep proper backups aren't going to suddenly start doing so if this passes, they're just going to hide the breaches. They're too stupid and incompetent to do otherwise.
The end goal is less stupid and incompetent companies. Those ones deserve to fail, no matter how many people work there. Especially now - throwing the objective failures under the bus is quite possibly the best way to help cool the economy and tamp down inflation rather than just leaving it to random chance.
Re: (Score:3, Insightful)
I've been arguing for this policy for years, and always hearing the same response. Years ago when ransomware was just starting to explode, I posted on slashdot that the only way we'd ever solve the problem was to make paying ransoms illegal. And the response was, "What about the poor people hit by ransomware? They need to recover their data." My answer then was the same as now: "What about the poor people who will be hit by ransomware tomorrow, and the day after, and next year, and the year after, until
Re: (Score:1)
It also will instantly make ransomware unprofitable.
You sweet, summer child. It must be nice to live among unicorns and rainbows.
As others have pointed out, it will just keep companies from reporting breaches, and turn actual ransomware attacks into threats of attacks in a more traditional protection racket.
Prosecuting victims hasn't stopped any other kind of crime, and it won't stop ransomware. No matter who earnestly you wish it would.
Re:so send victims to jail / prison? if they pay? (Score:4, Informative)
I conclude that either you have little experience with the business world, or else you live in a country where the rule of law isn't respected.
In most western countries, it's kind of shocking how scrupulous most companies are at following the law, especially big companies. That doesn't mean they behave morally. They often have little concern for who they hurt. And when there's fuzziness to the rules, they may try to bend them or argue they don't apply. But when the rules are clear and there's a high risk of getting caught, they follow them to the letter. If there's one thing big companies hate, it's risk. And if there's one thing bureaucratic organizations are good it, it's following precise rules.
Contrary to what you may assume, big companies really like clear rules, especially when they're well enforced and they know everyone else has to follow the same rules. Clear rules mean certainty. You can make plans based on them.
A good example of how this works out in practice is the American Foreign Corrupt Practices Act [wikipedia.org], which bans American companies from paying bribes in other countries. Now and then a company tries to go around it and gets slammed with a huge fine, but mostly it's been very successful. it turns out most companies don't like having to pay bribes. They do it because they feel they have no choice. It's "how things are done" in that country. The FCPA lets them say, "Sorry, I can't pay. Don't blame me, it's what the government demands. Either you work with us without the bribe, or we take our business elsewhere."
Re: (Score:2)
It must be nice to live among unicorns and rainbows.
Like the people who pay a ransom and get back their data assuming it has not been tampered with, shared widely, and/or is free of future exploits. Sometimes society does have an interest in protecting stupid people from themselves.
Re: (Score:2)
The thing is that making it illegal to make ransomware payments make beefing up security more likely. At the moment there is a cost benefit analysis and many firms think that it's worth skimping on security and just paying up if things go south.
If paying off the attackers is not an option then all of a sudden beefing up security becomes a lot more attractive.
Re:so send victims to jail / prison? if they pay? (Score:4, Insightful)
Here in the US, technically paying ransomware is illegal. But it is something easily gotten around:
* Company "A" that got hit by ransomware hires offshore company "B".
* Offshore company "B" takes the ransom + a fee on top of that as a consulting cost.
* Offshore company "B" pays the ransom, hands the decryption keys to company "A".
* Company "A" now has their data back, and should there be investigations, they have plausible deniability, as they didn't know or realize that offshore company "B" paid the ransom.
You can add more criminal penalties, more jail time, but it doesn't matter. Once a proxy (or proxies) come into the picture, the case is pretty much impossible to prove in a court to get a fine, much less a conviction.
Re: (Score:2)
Yes, same here. We need to stop companies from at least accepting that they will finance a criminal business model by having inadequate IT security. Outlawing ransom payments is exactly the way to go, because identifying the attackers has mostly failed and preventing the money-laundering (via crypto-"currencies") has so far failed as well.
yeah (Score:2, Interesting)
When we made it a crime to dump chemicals into the water supply a lot of poorly run companies went out of business, and a lot of jobs were shifted overseas where they can poison their people with impunity (google "cancer villages"). That doesn't mean I want to legalize poisioning our water supply.
You're hiding behind jobs because you do
Re: (Score:2)
If the data is vital, they were clearly grossly negligent in not securing it adequately. Hence they should already face personal punishment for that alone.
Re: (Score:2)
Re: (Score:2)
Re:so send victims to jail / prison? if they pay? (Score:4, Insightful)
And the business will simply consider the fine a cost of doing business and raise prices to recover it.
Yeah... that only works if you have a monopoly. Consumers are rather cost sensitive. The trick is to have a fine large enough that companies would be negatively affected in the scenario.
But you're completely off base anyway. The fine won't get dismissed as a cost of doing business providing the fine is larger than the cost of the ransom and damages. Incidentally this is why road violation fines in Finland are based as a percentage of income. In the USA it's easy to write off a speeding fine if you are wealthy. Nokia's CEO probably thought twice about doing it again when he was handed a $103000 speeding fine for doing 15km/h over the limit.
Providing you set a fine sensibly it won't be brushed off as just an operating cost.
Re: (Score:2)
Not all ransomeware payments will be banned.
You will still have to pay the crooks if you want to keep:
1. Your home
2. Your car
3. Your very freedom
And be careful what you say. Unlike ransomeware on the computer, these guys don't mess around. For example, calling it ransomeware instead of taxes could end you up in jail for disrespecting government and making its legitimate operations look bad.
Re: (Score:2, Insightful)
Re: (Score:3, Informative)
The victims are the ones having their personal or financial data leaked onto black markets.
Re: (Score:2, Insightful)
so send victims to jail / prison? if they pay? or will they just force them to stay in Australia
The companies aren't the victims, their innocent customers are. The companies would like to keep the whole matter of their IT incompetence quiet to protect their reputations.
Re: (Score:2)
These are not "victims". These are people with shoddy IT security that were basically asking for it given the current threat landscape. They are also perpetrators because they are encouraging the criminal business model which means more others will get hit in the future.
If you have a responsibility to do things right and you messed it up, screaming "Victim-Blaming!" will not get you off the hook.
There is no crime when it's illegal to be a victim (Score:2)
This seems like a fairly straightforward way to "fix" crime statistics.
It's not illegal to be a victim (Score:5, Interesting)
Re: It's not illegal to be a victim (Score:3, Funny)
Re: (Score:3)
Since, given the complexity of operating systems these days, such things are impossible to prevent, your proposal is that we should all throw our computers in a swamp and hunt for dinner with sharp sticks?
Re: (Score:1)
But you have also decided that database makers dont get a pass, because "they should try to prevent the impossible"
Re: It's not illegal to be a victim (Score:4, Interesting)
There's quite a bit of peer reviewed research on the impossibility of avoiding bugs. The more lines of code, the more bugs there will be, and the ratio goes up as the number of lines of code does. I recall one study that indicated that at 1 million lines of code, every bug fixed causes 1.2 new bugs. Windows has hundreds of millions of lines of code.
As for databases, I have no idea what you're talking about. Perhaps you should switch to drugs that don't cause hallucinations.
Re: It's not illegal to be a victim (Score:4, Interesting)
The responsible party might be some college student who wrote a F/OSS library. This will be great for commercial companies which have armies of lawyers, all the while putting a great legal burden on individuals that their code works 100% of the time.
Programs are an issue, but security processes are where the rubber meets the road. It would be nice if insurance companies and governments could encourage development of anti-ransomware practices. Something simple like a box running MinIO with backups being dumped to it with object locking can stem the tide of ransomware. Or companies adhering to some basic standard of security (MFA at the minimum), if not more defense in depth. Maybe even better backup programs that are open source that can be universally used.
Re: (Score:2)
Now, if instead of fixing the zero days when they find them Microsoft was going around paying hackers to pretend they didn't find the zero day in the first place that would be something that should be a crime
Re: (Score:3)
So, instead of encrypting data with ransomware, the criminals will simply demonstrate that they could do so, and offer their "consulting services" on how to prevent that. Thus, no ransom is paid, and everybody is legal.
Protection racks are as old as the human race. Punishing the victims is aiding and abetting the gangsters who run it.
Re: (Score:2)
That's where criminal negligence comes in.
Re: (Score:1)
I don't know how to secure against a 0-day, but I know how to restore a backup.
Re: (Score:2)
I learned the hard way about backing up data in 1987, with a single damaged 360K floppy.
Professionals in charge of petabytes of data shouldn't have to learn about backups the hard way.
Re: (Score:3)
Most ransomware attacks don't involve zero-days, they involve an asshat with too much access to network shares opening shipping_invoice.pdf.exe
Re: (Score:2)
Most ransomware attacks don't involve zero-days, they involve an asshat with too much access to network shares opening shipping_invoice.pdf.exe
Unfortunately as an asshat with too much access I'm finding it much harder to get unnecessary permissions taken away from me than I had getting them given. No matter how much I explain that future me is a disgruntled asshole with too much time on his hands.
Will Only Work If Prison for the CEO and Board (Score:3, Insightful)
And a long prison term at that. If those people have to go to prison for paying, then they will pay more to protect their data up front. Because to stay in business they will likely have to pay up to the ransom holders if their data becomes locked up. That is, do all that is possible up front to protect the data to save their own asses.
Re: (Score:2)
On a side note (D#) I'd like to thank you for referring to prison, not jail. Jail is where people are put while awaiting trial, or for very short terms; prison is where you end up if your sentence is a long one. I wish the various cop/court TV shows would stop getting that wrong.
Re: (Score:2)
Spotted the American. No. Sending people to prison for low likelihood scenarios is stupid and simply doesn't work as a deterrent in the slightest. People have a genuinely poor ability to judge risk of extreme events, and when the punishment is out of step with the crime they get brushed off. Make the sentence extreme and people will think it'll never happen and do nothing to prevent occurrence.
Re: (Score:2)
Getting hit by ransomware is not a "low probability scenario" anymore.
Re: (Score:2)
Getting hit by ransomware is not a "low probability scenario" anymore.
It really is. You're either massively over-inflating the number of ransomware attacks, or massively underestimating the number of targets. But in any case you missed my point. The more severe a punishment the less likely it gets given even if the underlying condition is present.
I didn't say that getting hit by ransomeware would be judged as a low probability, I said going to jail would be.
Re: (Score:2)
Nope. It is very much not "low probability". Get some real numbers and stop claiming crap. Well, claiming crap is your usual modus, so there is that.
Perhaps criminalize having an insure network (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Security in ICT is difficult to define apart from stupid self referencing statements. Even concepts such as "need to know" are impossible to define in knowledge based organisations and often exact a very high cost on business operators when implemented by indoctrinated security folk without a grasp of maths.
However that being said that state of being insecure may often be recognised as a state of negligence and reckless abandon when considered against a backdrop of "good practice"
For example ASD, Australia'
I think it might help (Score:2)
You can't make incompetence illegal (Score:3)
And incompetence is the only reason anyone would need to pay a ransom.
You know how you defeat ransomware? Backups.
Yes, it really is that simple.
Re:You can't make incompetence illegal (Score:5, Insightful)
The attacks that have made all this fuss aren't even really ransomware attacks. Optus was breached and heaps of PII was stolen. As far as I'm aware there was never any ransom involved. Medibank was breached and shitloads of very private information was stolen, and a ransom demanded to stop them from releasing said information.
Backups do nothing to prevent this, as neither company ever lost access to their data.
Re: (Score:2)
The attacks that have made all this fuss aren't even really ransomware attacks.
Irrelevant. This isn't an attempt to address the two specific cases. If you do that you will forever be the idiot preventing floods by sticking your finger in the dyke to plug the holes rather than solving the underlying issue.
The attacks in question kicked off a larger discussion about cyber crime. This is just one of the proposals to come out of it. The fact is Medibank's breach involved a demand for payment. Whether you give it a cute name is completely irrelevant.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Au contraire. Incompetence when accepting certain responsibilities is already a criminal act.
Obvious (Score:1)
Another government doesn't understand security (Score:2)
What is the goal here? To punish the company and the individual victims of identity theft? To inoculate companies from some of the financial impact of a data breach?
I'm sure the goal is ostensibly to discourage ransomware, but as usual the government does not understand enough about cybersecurity to actually be effective.
Strengthen requirements to store PII. Institute mandatory compliance auditing/reporting requirements. Increase penalties for corporations who are breached.
Security improves when the cos
Re: Another government doesn't understand security (Score:2)
The goal is to get companies - those who negligently prioritize growth over security - to spend their money on security instead of PR and coverups.
Re: (Score:2)
The goal is to get companies - those who negligently prioritize growth over security - to spend their money on security instead of PR and coverups.
If only the rapidly ballooning government expenditures that happen within 5-10 years of every single expansion of power and every single creation of new "crime", could have instead been spent to partner with people and businesses to create and follow better information Security practices.
But alas, just like with the USA's perpetual, trillion-dollar "War On Drugs" canard, you can tell a nation-state is on the downward slope of its ideological coherence when its solution for social problems is criminal prosec
Re: (Score:1)
Damned if you do / do not (Score:2)
A sensible policy (Score:4, Informative)
Essentially banning ransomware payments achieves a greater good at the expensive of individual companies. The current model of making ransom payment simply supports a criminal industry. It really is that simple. Remove the cash and the industry deflates.
In Australia there have been two recent major compromises of significant organisations, Optus, a singtel subsiduary market cap of ~45B, and Medicare Private market cap about 8B.
The Optus hack was as a result of using production data and systems for a test environment and a cowboy type approach to development. This is a cheap and risky approach and it appears that they didn't effectively mitigate these risks hence the pejorative "cowboy".
The medicare hack appears to be as a result of compromised credentials which would have been effectively mitigated by two factors authentication of privileged users. Two factor authentication doesn't have to be difficult or expensive but most organisations implement costly big vendor approaches. If you want a cost effective solution use simple standards based technologies like smartcards or TOTP tokens. SMS, email and even soft tokens on phones are a bit rubbish as your phone is just another computer which is permanently connected to the Internet.
Re: (Score:2)
Ingenious way to kill ransomware (Score:1)
No one will spend thousands of dollars on breach to receive nothing.
Ingenious!