Ransomware criminals would be treated as harshly under the law as rapists, armed robbers, arsonists and child sex offenders under the parameters of revamped ransomware legislation introduced to Parliament this month.
Lending legislative weight to the Ransomware Action Plan announced late last year, the new Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 lays out a number of new offences related to ransomware and data stolen by cybercriminals.
A person launching a ransomware attack intended to affect either the availability, integrity or reliability of a “critical infrastructure asset”, or to compromise the confidentiality of information about or stored in such an asset, would face up to 25 years’ imprisonment – which is generally the maximum available sentence for other crimes apart from life imprisonment.
Individuals could also face five years’ in jail for “dishonestly” accessing, enabling access to, modifying, or releasing data to another person when that data has been obtained through unauthorised access to a computer.
An aggravated offence, attracting a penalty of up to 10 years’ imprisonment, would apply to someone who produces, supplies, or obtains data for payment – aiming squarely at ransomware criminals that have increasingly been extracting ransoms from Australian businesses.
“Cybercriminals use ransomware to do Australians real and long-lasting harm,” Minister for Home Affairs Karen Andrews said as the legislation was introduced, calling ransomware “an effective means of exercising power over a victim.”
The government, she said, “will not tolerate attacks on Australia’s critical infrastructure, small businesses, or targeting the vulnerable members of our community.”
Ransomware attacks have continued to hit businesses of all sizes and industries: CrowdStrike’s recently released 2022 Global Threat Report, for one, noted an 82 per cent increase in ransomware-related data leaks during 2021.
That included the increasing use of ‘lock-and-leak’ information operations – in which stolen data is not just dumped on darkweb sites, but leaked in a controlled way by what CrowdStrike calls “actor-controlled personas or entities”.
The company observed over 50 targeted ransomware events per week last year, with average ransom demands averaging $8.5m ($US6.1m) – up 36 per cent from 2020.
Recognising the increasing amounts of money involved in ransomware crime, the new bill also targets the use of cryptocurrency for criminal activity, allowing police to seize digital assets that are reasonably suspected to be “tainted property” or “evidential material”.
Seized cryptocurrency would be transferred to an AFP or police-controlled cryptocurrency wallet, allowing authorities to prevent ransomware proceeds from joining the nearly $12b laundered annually through exchanges and decentralised finance (DeFi) services.
The legislation does not yet criminalise the making of ransomware payments, as the government has floated and analysts have advised.
Legislation tightening the noose
Australia’s government has been proactive in clamping down on ransomware, with Gartner noting that just 1 per cent of nation states had passed legislation to regulate ransomware payments, fines and negotiations by last year.
This, Gartner has predicted, will increase to 30 per cent of countries by 2025 as governments show a more united front against ransomware criminals – and fight back against increasingly aggressive use of malware that, the company believes, will have progressed to the point where weaponised malware causes human casualties.
Lawmakers in the United States are continuing to debate the country’s legal response to ransomware, with a number of bills circulating and the Biden administration recently releasing a ransomware playbook designed to provide standardised ransomware guidance for businesses.
The new legislation is an important step towards laying down the law for ransomware cybercriminals, said Tenable ANZ country manager Scott McKinnel, who welcomed the proposed legislation as “a strong and clear message to cybercriminals that the Australian government will not sit idle while our critical infrastructure and way of life get disrupted.”
“A task of this magnitude requires global governments to leverage the combined resources and expertise of government, industry and other stakeholders to provide timely and trusted information sharing to enhance the nation’s cyber security.... If we work together, cyber attacks won’t be the big business they are now.”