18 Oct Ransomware – The bigger picture
With increased vulnerabilities due to companies moving to working differently, reports of ransomware attacks have increased. You may not be surprised by this, but at the same time, have you considered what you would do in the event your company finds itself on the receiving end of a ransomware attack?
Ransomware, is as the name suggests: Malicious actors gain unauthorised access to your IT systems and hold those systems and your information for ransom. They request payment in exchange for the systems and information to be released and threaten online publication of your information if you do not pay.
The key things to note here are that the money received by malicious actors may be considered the proceeds of crime, and that the money exists outside of formal financial systems. Therefore, its uses once in the hands of malicious actors are numerous and include anything from financing terror-related operations to the purchase and distribution of illegal items such as narcotics, or the re-investment in more resources to exploit further technical vulnerabilities. So, while the effects to your business are significant, the payment of ransoms fuels an even bigger, often international problem.
Do you pay the ransom?
As discussed in the previous article “Ransomware attacks: how to prepare for?“, you have two options:
- pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or
- do not pay the ransom and restore operations independently.
Generally, the recommendation is that you do not pay the ransom. The Australian Cyber Security Centre (ACSC) has published advice that focusses on prevention and seeking professional help with remediation rather than exploring payment options. There are a number of reasons for this advice. Firstly, the attackers are unlikely to simply take their money and run, rather they may take the fact that you paid up to mean you have money to do it again and will continue to hold your files ransom while you continue to empty your pockets. Secondly, paying the ransom puts you in a precarious legal position.
How is it illegal?
In Australia, there are a number of ways paying a ransom can lead to legal consequences. Firstly, company directors will need to assess whether their actions or inactions will lead to claims of negligence or breach of contract. For example, if they have not taken steps to ensure they have sufficient backups in order to restore systems and files after a ransomware attack, have they fallen short of their duty of acting with due care, skill and diligence or have they breached a contractual obligation?
Secondly, companies will need to assess whether paying the ransom will mean they are violating counter-terrorism and financial crime laws both locally and internationally and if any defences are available.
Recently issued advice by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) on the sanctions risks associated with ransomware payments highlights that persons are generally prohibited from engaging in transactions, directly or indirectly, with blocked individuals, entities or those covered by country/region embargoes. Civil penalties for violations of these sanctions may ensue.
The US sanctions apply to all persons and entities within the United States (this would include Australian companies with officers/agents in the U.S.), foreign branches of U.S. incorporated entities and persons outside the U.S. to the extent that they cause a U.S. person to violate such sanctions.
In Australia, under Division 400 of the Criminal Code Act 1995 (Cth), a person commits an offence if they deal with money (or property) that is, or is at risk of being, an instrument of crime and that person is reckless or negligent as to the fact that the money is at risk of becoming an instrument of crime.
The Australian Parliament has introduced the Ransomware Payments Bill 2021 which, if passed, will require companies to report ransomware incidents to the Australian Cyber Security Centre (ACSC).
The US has taken a similar approach with the recent introduction of the Cyber Incident Notification Act of 2021 which “would require Federal Agencies, government contractors, and the owners and operators of critical infrastructure to report cyber intrusions within 24 hours of their discovery.”
The legal landscape is most comprehensive for companies that fall under critical infrastructure in either jurisdiction, with increased reporting required for sectors such as healthcare, transportation, financial services, agriculture, energy and information technology.
All this is in addition to reporting obligations under privacy laws such as the Notifiable Data Breach scheme under the Australian Privacy Act 1988 (Cth), or the EU and UK General Data Protection Regulations, as well as the ‘suspicious transactions’ reporting to AUSTRAC required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
So what can you do to prevent the fallout of ransomware attacks? Preparation is key and you should focus on strengthening defensive and resilience measures. This includes ensuring you have the capability to engage the right people to respond to the breach and pre-emptively secure your systems, and to revert to backups for recovery. Cyber threat intelligence sharing also goes a long way to strengthening not only your network but the networks of other companies in your eco-system. Supply chain management through contracts is always important to protecting your assets and limiting your liability to others.
If this content was of interest to you and you have further questions, please do not hesitate to give us a call.
 See https://home.treasury.gov/policy-issues/financial-sanctions/faqs/topic/1501; see also https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf