Ransomware: tougher penalties and mandatory reporting

New criminal offences, tougher penalties and a mandatory reporting regime have been announced as part of a new Ransomware Action Plan from the federal government.

Minister for Home Affairs Karen Andrews said individuals, businesses and critical infrastructure across Australia will be better protected as a result.

“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Andrews said.

“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.

“That’s why the Morrison government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most — their bank balances,” she said.

Under the Ransomware Action Plan the government will:

• introduce a new standalone aggravated offence for all forms of cyber extortion to ensure that cybercriminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals;
• introduce a new standalone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians;
• criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
• criminalise the buying or selling of malware for the purposes of undertaking computer crimes;
• modernise legislation to ensure that cybercriminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.
   

The government will also develop a mandatory ransomware incident reporting regime to enhance our understanding of the threat and enable better support to victims of ransomware attacks. It will be designed to benefit, not burden small businesses, with businesses with a turnover over $10 million per annum expected to be subject to the regime.

The Plan also makes clear that the Australian government does not condone ransom payments to cybercriminals. There is no guarantee hackers will restore information, stop their attacks, and not leak or sell stolen data. Those impacted by ransomware attacks should visit cyber.gov.au for advice.

The plan follows the establishment of a new Australian Federal Police-led multi-agency operation which targets ransomware attacks that are linked directly to sophisticated organised crime groups operating in Australia and overseas, and shares intelligence directly with the Australian Cyber Security Centre as they utilise their disruptive capabilities offshore.

“The release of the Ransomware Action Plan is the latest in a long list of developments that have been rolled out since the government’s $1.67 billion Cyber Security Strategy commenced in August last year. It builds on the Morrison government’s strong track record fighting cybercrime,” Andrews said.

The Ransomware Action Plan is available on the ​Department of Home Affairs website.

The government will now consult further with the community, industry and interested stakeholders on the mandatory reporting regime and new criminal offences.

Image credit: ©stock.adobe.com/au/James Thew