With ransomware attacks now becoming an almost daily phenomenon governments are actively looking at new ways to combat the scourge and protect both individuals, organizations, and national interests. The Australian Minister for Home Affairs, Karen Andrews, has recently published a plan titled the “Ransomware Action Plan.”
While the title is certainly on the nose it does include some interesting developments and trends on how to better combat ransomware.
The document starts by neatly defining the threat posed by ransomware. The plan states,
“Ransomware has become an increasingly prevalent global threat, where cybercriminals use readily available software to encrypt electronic devices, folders and files that render systems inaccessible to users. Once files are encrypted, criminals demand a ransom from the system owner in return for the decryption keys, often in the form of hard-to-trace cryptocurrencies. Not only do criminals use ransomware to encrypt files, ransomware also allows criminals to gain access to a network, enabling them to steal sensitive information.”
Further, the plan goes on to state,
“Globally, it is estimated that there is a ransomware attack on a business every 11 seconds, with ransomware damage losses projected to reach US$20 billion in 2021.1 Paying a ransom does not guarantee recovery of ransomed data, and only helps promote ransomware as a profitable criminal enterprise. Ransomware and cyber extortion remains the most serious cybercrime threat facing Australia due to its high financial and disruptive impacts to victims and the wider community.”
To help address this risk the Australian government has approved an investment of 1.67 billion AUD (approximately 1.23 billion USD at the time of writing) into the country’s Cyber Security Strategy 2020 program, with the Ransomware Action Plan forming a crucial part of the program. The ransomware plan can be summarised into a few bullet points and includes the following measures:
- The formation of a multi-agency taskforce named ‘Operation Orcus,’ led by the AFP (Australian Federal Police).
- The introduction of a mandatory ransomware incident reporting clause for all victimized entities.
- The establishment of awareness-raising programs for businesses of all sizes.
- The introduction of harsher punishments for cyber extortionists and ransomware actors based in the country.
- Be more active in calling out states that facilitate ransomware attacks, or provide safe havens to cybercriminals.
- Actively track and intercept cryptocurrency transactions that have confirmed links to ransomware operations or other cybercrimes.
To meet the plan’s needs the government will look to train and hire 100 AFP personnel, costing approximately 121 million USD. INterestingly the new proposed task force will be responsible for identifying, investigating, and targeting cybercriminals. The targeting of cybercriminals is interesting as in the past governments adopted more of a reactive policy to cybercrimes.
Recent developments, particularly in developed nations have resulted in leaders prompting governments and law enforcement agencies to adopt a more proactive stance to combatting ransomware. Incidents like the Colonial Pipeline and JBS ransomware incidents showed just how damaging ransomware can be towards the public interest.
Another interesting aspect of the “Ransomware Action Plan” is how it plans to disrupt the double-extortion tactics, now commonly used by several of the most prolific ransomware gangs. The tactic involves not only demanding a ransom to decrypt data but also demanding the ransom be paid timeously otherwise stolen data will be released to the public.
To combat this tactic it has been proposed that legislators supplement the powers granted to law enforcement in Surveillance Legislation Amendment Act 2021. It has been proposed that the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will have the power to delete or remove data linked to suspected criminal activity, permitting access to devices and networks and even allowing the take over of online accounts for investigation purposes.
Put differently, these new powers will allow law enforcement to delete data stolen during ransomware attacks and stored on servers operated by the attackers for use in double-extortion attacks. By being able to delete stolen data from servers the government hopes to prevent sensitive data from being leaked to the public following a successful ransomware attack. The proposal states,
“...to establish procedures for certain law enforcement officers of the Australian Federal Police or the Australian Crime Commission to obtain warrants and emergency authorizations that:
(i) authorize the disruption of data held in computers; and
(ii) are likely to substantially assist in frustrating the commission of relevant offenses; and" - Surveillance Legislation Amendment Act 2021.”
International Plans to Curb Ransomware
At the start of October 2021, the US-led a plan to unite 30 countries, including G7 and NATO nations, in an attempt to curb ransomware attacks was summarised by President Biden. The US President stated,
“This month, the United States will bring together 30 countries to accelerate our cooperation in combatting cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically...We are also partnering closely with nations around the world on these shared threats, including our NATO allies and G7 partners...I am committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security.”
Much of Australia’s new plan is in line with the meetings held by the US President. With the main areas where ransomware is to be combatted being highlighted. These being to disrupt ransomware infrastructure, bolster an organization’s ability to defend against the threat, address how cryptocurrencies are used to facilitate ransom payments and the subsequent laundering of extorted funds, and foster international cooperation to achieve the three previous aims.
Both Russia and China were left out of the talks as the US believes efforts made by those countries to curb ransomware, and other cybercrimes lacked sincerity or actions that take the problem seriously. To this extent, a US official stated,
“We've worked with allies and partners to hold nation-states accountable for malicious cyberactivity as evidenced by, really, the broadest international support we had ever in our attributions for Russia and China's malicious cyber activities in the last few months...The Experts Group continues to meet to address the ransomware threat and to press Russia to act against criminal ransomware activities emanating from its territory. In this first round of discussions, we did not invite the Russians to participate for a host of reasons, including various constraints. We do look to the Russian government to address ransomware criminal activity coming from actors within Russia. I can report that we've had, in the Experts Group, frank and professional exchanges in which we've communicated those expectations. We've also shared information with Russia regarding criminal ransomware activity being conducted from its territory. We've seen some steps by the Russian government and are looking to see follow-up actions.”
The leaving out of Russia and China from these talks showed a clear sign of political intent. It remains to be seen if leaving out these key international players, even if guilty of at best tacitly supporting cybercrime, will help bridge the political divide and bring real change to the cyber threat landscape.
That being said, it is hoped that the fostering of international cooperation between the 30 nations involved in talks will help curb the threat posed by ransomware gangs shortly.