The Criminalisation of Ransomware Payments - Clifford Gouldson Lawyers (2024)

In late 2022, the Australian government announced it was considering new laws to make it illegal for companies to pay ransoms to cyber criminals¹, and that it would increase penalties for data breaches. The announcement came after a series of high-profile cyber attacks in Australia in 2022.

Imagine a world where a business in Australia who chooses to pay a ransom so they can continue working, is then facing fines or penalties for making that payment.

Cyber security experts welcome these announcements as a possible further step towards fortifying Australia’s cyber security protections, reflecting what has been happening in the international community.

Business groups in Australia have expressed concern about the possible reforms.

If reforms proceed, will any ban on ransom payments be implemented through civil or criminal law?

Will organisations who make ransom payments face civil penalties or criminal sanctions?

What options might exist for the ban?

At this stage, certain US states, including New York and Hawaii, have introduced bills prohibiting governmental, business and healthcare entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack, with a civil penalty of up to US$10,000 imposed for any violation of the ban.

New York proposes to amend the state’s technology law to include the ban, whilst Hawaii proposes to amend Chapter 128A of its Homeland Security, Hawaii Revised Statutes.

Whether civil penalties will be effective in deterring ransom payments is uncertain. If business survival is at stake, it may remain in the interests of the business to pay the ransom and simply absorb the civil penalty.

Alternatively, governments may decide to criminalise the payment of ransoms through corporate criminal law, making it an offence to pay a cyber ransom. This would mean a company is criminally liable, and directors and officers personally liable, if the corporation commits the offence. The likely deterrence effect of a criminal consequence to paying a ransom may be more effective than a civil remedy.

Many believe strongly that criminalising ransom payments will fail to discourage cyber crime at all. A ban on extortion cover in insurance policies has provided little deterrence to cybercriminals.

Is it about financial gains?

Criminalising ransom payments is hoped to reduce the number and severity of cyber attacks by reducing the financial incentives for criminals through a reduction in the number of companies paying ransom payments due to the risk of committing an offence.

However, motivating forces for cyber criminals extend beyond financial gain. There are other forces at play including ideological reasons, personal or professional revenge, or the thrill of the hack.

How creative are Cyber Criminals?

Financial gain is obviously a main driving force behind cyber attacks, but if the criminalisation of ransom payments occurs, how creative might cyber criminals be in finding ways around the regime? Cybercriminals have proven themselves to be resilient, motivated and creative in identifying new opportunities.

For Example, in 2019, Microsoft claimed that multi-factor authentication (MFA) can prevent over 99.9% of account compromise attacks³and yet in 2022 cyber criminals escalated attacks on MFA methods globally, launching MFA bypass attacks to compromise accounts.⁴

Reports now exist to suggest that cybercriminals are already prepared to cloak payments for ransom attacks as legitimate cyber security services delivered post-attack, and uncovering evidence of the attack may prove difficult when companies are motivated by survival.

Are ransom payments reducing?

A 2022 research report found that fewer companies paid extortion payments to cyber criminals in 2022 than in both 2021 and 2020.⁵

In the findings published by Chainalysis Inc on 19 January 2023, ransom payments (which are almost always paid in cryptocurrency) fell to US$456.8 million in 2022 from US$765.6 million in 2021. The 40% drop was not attributed to attacks reducing, but much of the decline was due to victim organisations refusing to pay ransomware attackers.
The research from Chainalysis is supported by data from the cyber incident response company Coveware, which disclosed that the number of Coveware’s clients that have paid a ransom after an attack has steadily decreased since 2019, from 76% to 41% in 2022, according to Chainalysis’s research.

There are a few reasons for this:

1. Cyber attack resistance and resilience of organisations is improving.
2. Legal risks associated with ransom payments is increasing, both in Australia and in other jurisdictions like the US, UK and EU. Laws including anti-money laundering and counter-terrorism laws provide greater complexity to a ransom payment than previously understood.
3. Reputational ramifications for an organisation that is publicly known to have paid a ransom.
4. Awareness of the Australian government’s position to never pay a ransom is becoming more widely known.
5. The Australian Cyber Security Centre (ACSC), and the Office of the Australian Information Commissioner (OAIC) if it involves a data breach, have increased public-private collaboration, which often results in a contractual or relational discouragement of ransom payments.

The number and frequency of cyber attacks continue to grow. Today, ransomware remains one of the top threats to organisations, and cybercrime is costing the Australian economy an estimated AUD42 billion annually.⁶

Should victims be punished?

If victims of a cyber attack were punished (whether civilly or criminally) would that be contrary to the very foundation of the justice system in Australia?

Criminal law seeks to identify and punish criminals for the protection of society – the greater good. The offending conduct here surely is the demand for a ransom payment (ie. cyber crime) and there are laws in place already (sanctions laws, anti-money laundering laws, and counter-terrorism laws) that should be sufficient to discourage the criminal conduct?

Laws imposing a risk of a civil fine or criminal prosecution on the party which paid the ransom would surely punish the victim of the crime and do nothing for the protection of society – the greater good.

Perhaps the laws might differentiate between large organisations where failures to have in place proper accepted protocols to minimise cyber crimes from occurring, as opposed to less resourced and capable organisations who arguably simply didn’t have the resources to meet best practices around cyber security? According to the Australian Small Business and Family Enterprise Ombudsman, only 2.7% of businesses in Australia employ more than 20 employees. Perhaps a better focus for the government than to punish victims of cyber attacks would be to invest in resources for the 97.3% of businesses in Australia who might struggle to enact or implement best practice cyber security protocols in their business?

Australia’s cyber resilience as a nation is improving, but small to medium enterprises might need a hand to get to where they need to be.

¹https://www.smh.com.au/politics/federal/we-will-hunt-them-down-o-neil-signals-more-action-on-medibank-hack-20221113-p5bxsi.html
²https://ministers.ag.gov.au/media-centre/joint-standing-operation-against-cyber-criminal-syndicates-12-11-2022
³https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
⁴https://www.techtarget.com/searchsecurity/news/252525234/Cybercriminals-launching-more-MFA-bypass-attacks
⁴https://its.unc.edu/2022/10/20/mfa-bypass/
⁵Ransomware revenue down as more victims refuse to pay
⁶https://www.unsw.adfa.edu.au/newsroom/news/cybercrime-estimated-42-billion-cost-australian-economy

For further information please contactBen Gouldson