International Legislative drive to combat ransomware

Published 29 October 2021

In mid-October 2021, the Biden administration led a virtual summit to discuss strategies to combat the ‘global’ threat of ransomware. A joint statement following the conference was issued where participating members including Australia, over 10 EU countries, the United Kingdom, Brazil and South Africa agreed to enhance their capacity to monitor and combat ransomware. Whilst the US has led the initiative, it was Australia that used the platform to announce its own agenda on ransomware.

Australia

Fuelled by the upcoming elections, cyber is a hot topic in Australia with a focus on hardening its defences against ransomware attacks. The Ransomware Action Plan, spearheaded by Karen Andrews MP, Minister for Home Affairs, is intended to take a ‘decisive stance’ and to show that ‘put simply - Australia takes a zero tolerance approach to ransomware’.

The Government’s current initiatives to address ransomware include policy and operational response in addition to legislative reforms. The operational response is intended to increase activity to target cybercriminals. More interesting are the legislative reforms, the first of their kind on a global scale. These include:

• The introduction of a specific mandatory ransomware incident report to the Australia Government.
• The introduction of a stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020).
• The introduction of a stand-alone offence for all forms of cyber extortion.
• The modernisation of legislation to ensure accountability of threat actors.
• The development of further powers for law enforcement to track and seize or freeze the ‘ill-gotten’ gains of threat actors

This is the first of its kind but it is likely that other laws will emerge with a similar focus. Whilst some nations are focussing on the regulation of cryptocurrency, and others focus on providing more power to law enforcement, it is interesting to see such a comprehensive approach.

Australia has stopped short of making it unlawful for insurers to pay or reimburse ransom payments, though this recommendation was considered. On this issue, we remain concerned that the debate appears to contemplate either complete freedom or a complete ban on ransom payments – we consider that a more nuanced approach is warranted and a debate on an appropriate spectrum of permitted responses.

USA

Two weeks ago, Senator Elizabeth Warren and Representative Deborah Ross introduced the Ransom Disclosure Bill (the “Bill”) to the Senate and House of Representatives. The Bill proposes new legislation that would compel corporates to provide information on ransom payments to the Department of Homeland Security in a bid to monitor and compile data on a topic which is usually reserved for the boardroom.

Not only does it compel disclosure of the fact that a ransom payment has been made and the amount, it also attempts to track the evolutionary use of cryptocurrency by threat actors. In a previous article, we commented on the move by threat actors to alternative cryptocurrencies, such as Monero, and the benefits of doing so for threat actors. It appears that the US wish to investigate currencies that appear most attractive to threat actors.

There is limited data available in respect of ransom payments to understand the amounts and compile other critical information. The most valuable insight in recent months has been the disclosure of Avaddon’s victims, which provided a representation of the spread of organisations across sectors. The Ransom Disclosure Act would require that a website is set up for organisations to self-report, with an overall report to follow by the DHS on an annual basis.

Unlike Australia, the aim of the Bill is to monitor when ransom payments are made and how much is paid. The focus is on the movement of funds from US entities to cryptocurrency and then outside of the jurisdiction. It is not a Bill that seeks to criminalise the payment of ransoms, or to punish threat actors, but to shed light on organisations that would prefer to keep this information out of the public domain.