SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Exclusive: Mandatory ransomware reporting key to Australia's cyber resilience

Today

Australia is taking a bold step in strenghtening its cybersecurity by introducing mandatory ransomware payment reporting laws.

This legislative shift aims to bridge critical information gaps and enhance national resilience against cyber extortion.

"Mandatory ransomware payment reporting is a crucial step in understanding the true scale and cost of cyber extortion incidents in Australia," explained James Finlay, Lead Director of Incident Response, APJ, Coveware by Veeam.

Currently, organisations with a turnover of over $3 million will be required to disclose ransomware payments under the proposed legislation. This aligns with thresholds established by the Privacy Act.

By collecting this data, the government will gain unprecedented visibility into the scope of ransomware attacks and their economic impacts.

The Cost of Underreporting
Underreporting ransomware incidents has long been a challenge. For example, the Australian Signals Directorate (ASD) documented 121 ransomware incidents in the 2023-24 financial year, yet this figure mirrors the number of Australian victims listed on ransomware leak sites.

"This figure is almost certainly a significant underestimation," Finlay pointed out.

He added that many incidents never make it to public leak sites, as not all threat actors steal data, while others lack platforms to publish compromised information.

Finlay highlighted a startling statistic: only 12% of ransomware victims globally are extorted for payment to prevent data leakage, according to an Australian Institute of Criminology report. "This statistic seems very low. Coveware by Veeam global case data suggests it's closer to 75%," he explained.

Without accurate reporting, policymakers and law enforcement face significant obstacles in assessing the threat landscape, allocating resources, and devising effective counter-strategies.

"Mandatory reporting is crucial to uncovering the real scale of the ransomware threat facing Australian businesses," he said.

Small Businesses Face Unique Hurdles
Small businesses, particularly those with a turnover under $3 million, are exempt from mandatory reporting.

Many fail to disclose incidents due to fears of reputational damage, limited resources, and concerns about legal repercussions.

"To encourage reporting, the government must focus on education, demonstrating the benefits of disclosure, and creating supportive mechanisms," Finlay explained.

He suggested confidential reporting channels and practical cybersecurity assistance to lower barriers for smaller organisations.

The long-term solution, Finlay noted, is to include small and medium-sized enterprises (SMEs) in mandatory frameworks while ensuring financial viability.

Reducing the Incentive to Pay
Mandatory disclosure could also discourage ransom payments.

"By making companies provide information justifying their decision to pay, the law could discourage unnecessary payments," Finlay said.

He urged organisations to view ransom payments as a last resort and explore alternatives such as backup restoration, data reconstruction, or manual decryption.

"Hasty payments can lead to ineffective decryption tools or additional extortion attempts," he added.

Proactive measures, including robust incident response planning and advanced backup strategies, are essential. "Tools like the Veeam Data Platform provide features such as immutable storage and malware detection, enabling organisations to recover data efficiently while reducing downtime," Finlay explained.

Australia's Unique Approach
Australian businesses have shown remarkable resilience in refusing ransom demands compared to their global counterparts.

"A robust 'Team Australia' approach, backed by clear government guidance and strict privacy breach notification laws, has created an ecosystem that effectively discourages ransom payments," Finlay said.

Major organisations, particularly in sectors like healthcare and finance, have demonstrated operational recovery without capitulating to extortionists. "This bold stance has emboldened smaller businesses to follow suit," Finlay explained.

He added that awareness campaigns and a collective cybersecurity mindset have further reinforced Australia's resilience. "Paying the ransom doesn't guarantee recovery and can make organisations repeat targets," he said.

Lessons for the World
Australia's emphasis on operational recovery offers valuable lessons for other nations. "Preparedness and transparency are key," Finlay explained. He urged global governments to foster collaboration between agencies and businesses while prioritising proactive measures over-reactive payments.

One standout example of the benefits of collective reporting is the November 2023 global law enforcement operation against the ALPHV/BlackCat ransomware syndicate.

"This operation demonstrated the potential of coordinated reporting, involving the seizure of criminal infrastructure and aiding victims in data recovery," Finlay said.

The Impact on Cybercriminals
Mandatory reporting laws are also likely to influence cybercriminal behaviour. Finlay believes that threat actors will recognise the futility of promising confidentiality through payment.

"Over time, as ransom payments dwindle in Australia, cybercriminals may shift focus to jurisdictions with less developed notification laws," he explained.

He added that mandatory reporting aids law enforcement by exposing threat actors, often leading to the identification of cybercriminals.

"This disrupts the economic model of cybercrime by increasing the risk of law enforcement disruption," Finlay said.

Building a Resilient Digital Economy
Mandatory ransomware reporting is pivotal to building a secure digital economy. Finlay emphasised that systematic data collection enables governments to uncover critical trends, enhance defence mechanisms, and foster trust within the digital ecosystem.

"Mandatory reporting transforms ransomware from an isolated incident into a shared challenge," he said.

Highlighting Australia's leadership in confronting cyber threats, he concluded: "This proactive approach will inspire global efforts to create a collective defence against cybercriminal networks."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X