Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Australia Security

Australia To Consider Banning Ransomware Payments (therecord.media) 86

Australia will consider banning ransomware payments in a bid to undermine the cybercriminal business model, a government minister said on Sunday. From a report: Clare O'Neil, the minister for home affairs and cybersecurity, confirmed to Australia's public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government's cyber strategy. The announcement follows several large security incidents affecting the country, including most significantly the data breach of Medibank, one of the country's largest health insurance providers.

Earlier this month Medibank stated it would not be making a ransom payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad. All of the data which the criminals accessed "could have been taken," the company said. This includes sensitive health care claims data for around 480,000 individuals, including information about drug addiction treatments and abortions. O'Neil's interview followed the AFP's commissioner Reece Kershaw announcing that they had identified the individual perpetrators of the Medibank hack, and that a group based in Russia was to blame.
Further reading: After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences.
This discussion has been archived. No new comments can be posted.

Australia To Consider Banning Ransomware Payments

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Tuesday November 15, 2022 @01:05PM (#63053493)

    so send victims to jail / prison? if they pay? or will they just force them to stay in Australia

    • I half agree with this, I get where it is coming from. Remove the incentive structure. But, companies will pay to recover their data, because that data is more valuable than the cost of the payment to that company.
      • by stephanruby ( 542433 ) on Tuesday November 15, 2022 @01:25PM (#63053573)

        But, companies will pay to recover their data, because that data is more valuable than the cost of the payment to that company.

        Not only that, but that will incentivize companies not to report their breaches and this will drive everything underground.

        And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely, because now they will be risking jail time for having paid the ransom in the first place.

        • by jvkjvk ( 102057 ) on Tuesday November 15, 2022 @02:54PM (#63053829)

          >And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely, because now they will be risking jail time for having paid the ransom in the first place.

          This is clearly, then, incentive not to pay for ransoms and to pay more for security.

          As you said, if they pay a ransom, now it's *criminal* jail time for the CEO, CTO, CIO, CFO, CSO, etc. instead of just money.

          Expect more insurance policies to be written in Australia if this goes through.

        • Most of it is already underground, the ransomware payments that are publicly known are just the tip of the iceberg. Executives sometimes even pay off fake ransomware threats.

        • by byromaniac ( 8103402 ) on Tuesday November 15, 2022 @02:58PM (#63053849)
          You make some great points about the unintended consequences of jail terms for paying ransoms.

          As an alternative, fine companies a fraction of the ransom amount. This increases the value of cybersecurity. Attach jail time for failing to report paying a ransom. Reporting discourages ransom attempts and also makes the breach public, increasing the value of cybersecurity. If you are the CIO, how much personal jail time would you risk to hide a breach?
        • I'd imagine what will really happen is that the breached company will pay a "data recovery service" in a foreign country to get the data back for them, and they'll end up paying the ransom.

        • Re: (Score:1, Informative)

          by Anonymous Coward

          Not only that, but that will incentivize companies not to report their breaches and this will drive everything underground.

          You're saying we shouldn't outlaw murder because criminals will just hide the bodies. Sofa king retar dead.

          You can't hide ransom payments. That's why we have auditors and financial statements and prosecutors. Follow the money. If there's a money trail, the feds can find it.

          Ok smart guy, you're gonna play shell games hiding ransom payments in non-existent accounts? Congratula

        • And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely, because now they will be risking jail time for having paid the ransom in the first place.

          That is a feature, not a bug.

        • by thegarbz ( 1787294 ) on Tuesday November 15, 2022 @05:30PM (#63054197)

          Not only that, but that will incentivize companies not to report their breaches and this will drive everything underground.

          It's not easy to drive a large scale extortion underground, especially when the attackers are normally quite public about their intentions.

          Mind you there are laws in place for failure to disclose. Heaping one illegal activity on another doesn't work too well. Remember, there's no major punishment for fucking up in this scenario, only for failure to disclose and from the looks of things they are going for law against payment as well.

          This is a good thing. Companies should not consider paying criminals a cost of doing business.

          And then, even after the ransomware event is over, the ransomware people will still be able to personally blackmail the executives indefinitely

          What's to say that doesn't happen anyway? Honour of criminals tell them not to hit the same willing to pay target twice? The blackmail scenario has nothing to do with whether you pay or not. Criminals hold power over their victims one way or another. Someone was already in your network.

        • by gweihir ( 88907 )

          Not only that, but that will incentivize companies not to report their breaches and this will drive everything underground.

          Exceptionally unlikely. First, far too many people will know about it. Second, the company needs to buy the crypto-currency to pay and an accountant that covers for that already faces personal punishment.

          This is exactly the right approach. Too many companies think they can save money by using shoddy IT security practices. These people must be stopped because they create the opportunity for the attack in the first place. Making ransom payments a criminal act is a good way to do this.

      • Re: (Score:2, Insightful)

        by Mononymous ( 6156676 )

        Clearly the hope is to get companies to take this into consideration ahead of time.
        Right now, they may think they just need to set aside some Bitcoin to prepare for the possibility of getting hit by ransomware.

      • I half agree with this, I get where it is coming from. Remove the incentive structure. But, companies will pay to recover their data, because that data is more valuable than the cost of the payment to that company.

        I agree that this may backfire in multiple ways. At the same time, I am curious how many of the breaches, especially at larger business were helped by cutting or not have a security budget.

        First rule in security should be: no security infallible, so you security is never a done deal. Just like castles of the past, walls only do so much and there is a reason you pay to have soldiers on those walls.

      • by vlad30 ( 44644 )

        I half agree with this, I get where it is coming from. Remove the incentive structure. But, companies will pay to recover their data, because that data is more valuable than the cost of the payment to that company.

        No recovery necessary. The Data was copied and most companies have data recovery in place for the old method of encrypting data and demanding a ransom. This is why companies which hold personal data are attacked. The release of that data is detrimental to the customers in Medicare's case drug addiction and mental health issues have been exposed as samples. Imagine if your health records or those you care about were exposed. In the case of Optus (telecommunications) they kept personal data for identification

    • Re: (Score:3, Funny)

      by rsilvergun ( 571051 )
      You don't send them to jail you fine them more money than they saved by skimping on security. Nobody has to go to jail every time they break a law. I'm guessing you're american? If not you're at least an honorary American
      • by taustin ( 171655 )

        You don't send them to jail you fine them more money than they saved by skimping on security.

        So, in cases (which are all too common) where the encrypted data is vital to the survival of the company, and they will go out of business (putting everyone out of work) if they don't recover it, your idea is to find them so much they go out of business (putting everyone out of work).

        And you don't think that will have any unintended consequences?

        • The intended consequence is to get companies to protect themselves against damage from ransomware, instead of hoping they can ransom their data.
          Obviously the most important thing is good backups.

          • by taustin ( 171655 )

            The intended consequence is to get companies to protect themselves against damage from ransomware, instead of hoping they can ransom their data.

            This is a poor way to do that.

        • Re: (Score:3, Insightful)

          I've been arguing for this policy for years, and always hearing the same response. Years ago when ransomware was just starting to explode, I posted on slashdot that the only way we'd ever solve the problem was to make paying ransoms illegal. And the response was, "What about the poor people hit by ransomware? They need to recover their data." My answer then was the same as now: "What about the poor people who will be hit by ransomware tomorrow, and the day after, and next year, and the year after, until

          • by taustin ( 171655 )

            It also will instantly make ransomware unprofitable.

            You sweet, summer child. It must be nice to live among unicorns and rainbows.

            As others have pointed out, it will just keep companies from reporting breaches, and turn actual ransomware attacks into threats of attacks in a more traditional protection racket.

            Prosecuting victims hasn't stopped any other kind of crime, and it won't stop ransomware. No matter who earnestly you wish it would.

            • by SoftwareArtist ( 1472499 ) on Tuesday November 15, 2022 @05:33PM (#63054205)

              I conclude that either you have little experience with the business world, or else you live in a country where the rule of law isn't respected.

              In most western countries, it's kind of shocking how scrupulous most companies are at following the law, especially big companies. That doesn't mean they behave morally. They often have little concern for who they hurt. And when there's fuzziness to the rules, they may try to bend them or argue they don't apply. But when the rules are clear and there's a high risk of getting caught, they follow them to the letter. If there's one thing big companies hate, it's risk. And if there's one thing bureaucratic organizations are good it, it's following precise rules.

              Contrary to what you may assume, big companies really like clear rules, especially when they're well enforced and they know everyone else has to follow the same rules. Clear rules mean certainty. You can make plans based on them.

              A good example of how this works out in practice is the American Foreign Corrupt Practices Act [wikipedia.org], which bans American companies from paying bribes in other countries. Now and then a company tries to go around it and gets slammed with a huge fine, but mostly it's been very successful. it turns out most companies don't like having to pay bribes. They do it because they feel they have no choice. It's "how things are done" in that country. The FCPA lets them say, "Sorry, I can't pay. Don't blame me, it's what the government demands. Either you work with us without the bribe, or we take our business elsewhere."

            • It must be nice to live among unicorns and rainbows.

              Like the people who pay a ransom and get back their data assuming it has not been tampered with, shared widely, and/or is free of future exploits. Sometimes society does have an interest in protecting stupid people from themselves.

          • by ctilsie242 ( 4841247 ) on Tuesday November 15, 2022 @04:05PM (#63054003)

            Here in the US, technically paying ransomware is illegal. But it is something easily gotten around:

            * Company "A" that got hit by ransomware hires offshore company "B".

            * Offshore company "B" takes the ransom + a fee on top of that as a consulting cost.

            * Offshore company "B" pays the ransom, hands the decryption keys to company "A".

            * Company "A" now has their data back, and should there be investigations, they have plausible deniability, as they didn't know or realize that offshore company "B" paid the ransom.

            You can add more criminal penalties, more jail time, but it doesn't matter. Once a proxy (or proxies) come into the picture, the case is pretty much impossible to prove in a court to get a fine, much less a conviction.

          • by gweihir ( 88907 )

            Yes, same here. We need to stop companies from at least accepting that they will finance a criminal business model by having inadequate IT security. Outlawing ransom payments is exactly the way to go, because identifying the attackers has mostly failed and preventing the money-laundering (via crypto-"currencies") has so far failed as well.

        • yeah (Score:2, Interesting)

          by rsilvergun ( 571051 )
          I'm also in favor of a much, much broader safety net for the workers. But that's besides the point. You can excuse any criminally negligent behavior with "but jobs!".

          When we made it a crime to dump chemicals into the water supply a lot of poorly run companies went out of business, and a lot of jobs were shifted overseas where they can poison their people with impunity (google "cancer villages"). That doesn't mean I want to legalize poisioning our water supply.

          You're hiding behind jobs because you do
        • by gweihir ( 88907 )

          If the data is vital, they were clearly grossly negligent in not securing it adequately. Hence they should already face personal punishment for that alone.

      • And the business will simply consider the fine a cost of doing business and raise prices to recover it.
        • by thegarbz ( 1787294 ) on Tuesday November 15, 2022 @05:34PM (#63054211)

          And the business will simply consider the fine a cost of doing business and raise prices to recover it.

          Yeah... that only works if you have a monopoly. Consumers are rather cost sensitive. The trick is to have a fine large enough that companies would be negatively affected in the scenario.

          But you're completely off base anyway. The fine won't get dismissed as a cost of doing business providing the fine is larger than the cost of the ransom and damages. Incidentally this is why road violation fines in Finland are based as a percentage of income. In the USA it's easy to write off a speeding fine if you are wealthy. Nokia's CEO probably thought twice about doing it again when he was handed a $103000 speeding fine for doing 15km/h over the limit.

          Providing you set a fine sensibly it won't be brushed off as just an operating cost.

      • Not all ransomeware payments will be banned.

        You will still have to pay the crooks if you want to keep:

        1. Your home
        2. Your car
        3. Your very freedom

        And be careful what you say. Unlike ransomeware on the computer, these guys don't mess around. For example, calling it ransomeware instead of taxes could end you up in jail for disrespecting government and making its legitimate operations look bad.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      The victims that fund criminals and make more victims.
    • Re: (Score:3, Informative)

      by DrMrLordX ( 559371 )

      The victims are the ones having their personal or financial data leaked onto black markets.

    • Re: (Score:2, Insightful)

      by godel_56 ( 1287256 )

      so send victims to jail / prison? if they pay? or will they just force them to stay in Australia

      The companies aren't the victims, their innocent customers are. The companies would like to keep the whole matter of their IT incompetence quiet to protect their reputations.

    • by gweihir ( 88907 )

      These are not "victims". These are people with shoddy IT security that were basically asking for it given the current threat landscape. They are also perpetrators because they are encouraging the criminal business model which means more others will get hit in the future.

      If you have a responsibility to do things right and you messed it up, screaming "Victim-Blaming!" will not get you off the hook.

  • This seems like a fairly straightforward way to "fix" crime statistics.

    • by rsilvergun ( 571051 ) on Tuesday November 15, 2022 @01:28PM (#63053591)
      It's illegal to pay criminals because you are criminally negligent. Your negligence is hurting society as a whole. If you refuse to secure your network and train your employees because it's cheaper to just pay the ransom then this is a effective way to force you to take your lumps and lose the money needed to recover that data.
  • by theshowmecanuck ( 703852 ) on Tuesday November 15, 2022 @01:21PM (#63053561) Journal

    And a long prison term at that. If those people have to go to prison for paying, then they will pay more to protect their data up front. Because to stay in business they will likely have to pay up to the ransom holders if their data becomes locked up. That is, do all that is possible up front to protect the data to save their own asses.

    • And don't send them to a minimum security country club facility either. Let them do their time in at least a medium security prison where their punishment is more than the loss of freedom to go where they want.

      On a side note (D#) I'd like to thank you for referring to prison, not jail. Jail is where people are put while awaiting trial, or for very short terms; prison is where you end up if your sentence is a long one. I wish the various cop/court TV shows would stop getting that wrong.
    • Spotted the American. No. Sending people to prison for low likelihood scenarios is stupid and simply doesn't work as a deterrent in the slightest. People have a genuinely poor ability to judge risk of extreme events, and when the punishment is out of step with the crime they get brushed off. Make the sentence extreme and people will think it'll never happen and do nothing to prevent occurrence.

      • by gweihir ( 88907 )

        Getting hit by ransomware is not a "low probability scenario" anymore.

        • Getting hit by ransomware is not a "low probability scenario" anymore.

          It really is. You're either massively over-inflating the number of ransomware attacks, or massively underestimating the number of targets. But in any case you missed my point. The more severe a punishment the less likely it gets given even if the underlying condition is present.

          I didn't say that getting hit by ransomeware would be judged as a low probability, I said going to jail would be.

          • by gweihir ( 88907 )

            Nope. It is very much not "low probability". Get some real numbers and stop claiming crap. Well, claiming crap is your usual modus, so there is that.

  • by DeadSeaTrolls ( 591736 ) on Tuesday November 15, 2022 @01:31PM (#63053601)
    If lacking security and partitioning of data fell on corporate officers they might take it more seriously.
    • Require security audits.
    • Security in ICT is difficult to define apart from stupid self referencing statements. Even concepts such as "need to know" are impossible to define in knowledge based organisations and often exact a very high cost on business operators when implemented by indoctrinated security folk without a grasp of maths.
      However that being said that state of being insecure may often be recognised as a state of negligence and reckless abandon when considered against a backdrop of "good practice"
      For example ASD, Australia'

  • And force people to take backups and data security seriously.
  • by metrix007 ( 200091 ) on Tuesday November 15, 2022 @03:20PM (#63053893)

    And incompetence is the only reason anyone would need to pay a ransom.

    You know how you defeat ransomware? Backups.

    Yes, it really is that simple.

    • by maglor_83 ( 856254 ) on Tuesday November 15, 2022 @04:38PM (#63054069)

      The attacks that have made all this fuss aren't even really ransomware attacks. Optus was breached and heaps of PII was stolen. As far as I'm aware there was never any ransom involved. Medibank was breached and shitloads of very private information was stolen, and a ransom demanded to stop them from releasing said information.
      Backups do nothing to prevent this, as neither company ever lost access to their data.

      • The attacks that have made all this fuss aren't even really ransomware attacks.

        Irrelevant. This isn't an attempt to address the two specific cases. If you do that you will forever be the idiot preventing floods by sticking your finger in the dyke to plug the holes rather than solving the underlying issue.

        The attacks in question kicked off a larger discussion about cyber crime. This is just one of the proposals to come out of it. The fact is Medibank's breach involved a demand for payment. Whether you give it a cute name is completely irrelevant.

        • by truedfx ( 802492 )
          The idea of sticking your finger in the dyke to prevent a flood comes from "The Little Dykeman", https://books.google.co.uk/boo... [google.co.uk], and the child is regarded as a hero, as a saviour of the country, for keeping the sea out all night until an adult finally came by the next morning. That analogy does not support the argument you are trying to make.
    • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      Au contraire. Incompetence when accepting certain responsibilities is already a criminal act.

  • This solution is the obvious way to go to address this problem. No other measures are having any effect. If there's no profit in it, the attacks will dry up pronto.
  • What is the goal here? To punish the company and the individual victims of identity theft? To inoculate companies from some of the financial impact of a data breach?

    I'm sure the goal is ostensibly to discourage ransomware, but as usual the government does not understand enough about cybersecurity to actually be effective.

    Strengthen requirements to store PII. Institute mandatory compliance auditing/reporting requirements. Increase penalties for corporations who are breached.

    Security improves when the cos

    • The goal is to get companies - those who negligently prioritize growth over security - to spend their money on security instead of PR and coverups.

      • The goal is to get companies - those who negligently prioritize growth over security - to spend their money on security instead of PR and coverups.

        If only the rapidly ballooning government expenditures that happen within 5-10 years of every single expansion of power and every single creation of new "crime", could have instead been spent to partner with people and businesses to create and follow better information Security practices.

        But alas, just like with the USA's perpetual, trillion-dollar "War On Drugs" canard, you can tell a nation-state is on the downward slope of its ideological coherence when its solution for social problems is criminal prosec

  • Comment removed based on user account deletion
  • This would likely result in businesses getting targeted by political enemies, as it would be a great way of destroying someone you do not like by putting them in a no-win situation that is very damaging no matter what they do.
  • A sensible policy (Score:4, Informative)

    by Stonefish ( 210962 ) on Tuesday November 15, 2022 @05:29PM (#63054191)

    Essentially banning ransomware payments achieves a greater good at the expensive of individual companies. The current model of making ransom payment simply supports a criminal industry. It really is that simple. Remove the cash and the industry deflates.
    In Australia there have been two recent major compromises of significant organisations, Optus, a singtel subsiduary market cap of ~45B, and Medicare Private market cap about 8B.
    The Optus hack was as a result of using production data and systems for a test environment and a cowboy type approach to development. This is a cheap and risky approach and it appears that they didn't effectively mitigate these risks hence the pejorative "cowboy".
    The medicare hack appears to be as a result of compromised credentials which would have been effectively mitigated by two factors authentication of privileged users. Two factor authentication doesn't have to be difficult or expensive but most organisations implement costly big vendor approaches. If you want a cost effective solution use simple standards based technologies like smartcards or TOTP tokens. SMS, email and even soft tokens on phones are a bit rubbish as your phone is just another computer which is permanently connected to the Internet.

    • by EvilSS ( 557649 )
      TOTP keys are also a bit rubbish as they are just as easy to phish as phone based authenticators.
  • If the law pass through, Australia will become a first country in the world where ransomware disappears completely.
    No one will spend thousands of dollars on breach to receive nothing.
    Ingenious!

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian

Working...