Australian ransomware victims now must tell the government if they pay up The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Australia became on Friday the first country in the world to require victims of ransomware attacks to declare to the government any extortion payments made on their behalf to cybercriminals pp The law initially proposed last year only applies to organizations with an annual turnover greater than AUS 3 million 193 million alongside a smaller group of specific entities working within critical infrastructure sectors The turnover threshold is expected to capture just the top 65 of all registered businesses in Australia comprising roughly half of the countrys economy pp Reports will be made to the Australian Signals Directorate ASD within 72 hours Companies that fail to make a report could receive 60 penalty units within the Australian civil penalty system pp The government said it would initially focus on pursuing egregious cases of noncompliance but otherwise intends to constructively engage with any relevant victims until the beginning of next year when it said the regulatory approach would harden pp The mandatory reporting requirement is intended to provide the ASD and the countrys other authorities with better visibility over the nature of the ransomware threat pp Current voluntary reporting mechanisms are underutilised and consequently ransomware and cyber extortion attacks remain significantly underreported the Australian government stated when the law was originally proposed pp The Australian Institute of Criminology indicates that only one in five victims of a ransomware attack report the attack As a result government lacks visibility of the economic and social impact of ransomware in Australia pp It follows cybersecurity rising up the political agenda in Australia spurred by a series of highprofile cyberattacks against private businesses including those affecting Optus Medibank and MediSecure pp A similar move has been proposed in the United Kingdom where earlier this year the government launched a consultation on banning public sector bodies and privatelyowned critical infrastructure entities from making extortion payments and requiring all victims to report incidents to the government pp The intention of a payment ban is to make the essential services the country relies on the most unattractive targets for ransomware crime pp According to the British announcement anyone who wants to make a payment would also be required to report this intent to the government which would make an assessment and have a power to block any payment eg to a suspected sanctioned entity or state pp The additional insight into payments will be helpful for sanctions authorities Information obtained by Recorded Future News last year revealed the agency responsible for monitoring financial sanctions in Britain has never detected an illicit payment to an entity embargoed under the countrys counterransomware regime pp Read more UK government urged to get on forward foot with ransomware instead of absorbing the punches pp Speaking to Recorded Future News Jeff Wichman the director of incident response for Semperis said the mandatory reporting requirement was unlikely in itself to stop attacks pp Granted the government gets data on the attackers that are making the money They likely get the indicators of compromise of the attacks they get communications from the negotiators and the attacker but that does nothing in the grand scheme of things other than build a profile of the attackers said Wichman pp All it does in my opinion is it publicly shames the companies who have to report it if it really does become public he said That could have value he added but in the grand scheme of things at least from my perspective and maybe Ive got a jaded personality a company gets hit with ransomware and nine times out of 10 theyre paying the ransom pp The figure of 90 dates back to Wichmans days doing ransomware negotiations at cybersecurity company Palo Alto Networks where he said the payment levels he saw were biased towards victims bringing in negotiators when they were already considering paying pp According to a more recent study by Semperis of 1000 companies hit by attacks in the United States United Kingdom France and Germany more than 70 paid pp There is some suggestion that ransomware payments dropped worldwide last year with a report by blockchain intelligence firm Chainalysis identifying a surprising and significant drop of around 35 in 2024 indicating the impact of  disarray in the ransomware ecosystem following the disruption operation targeting LockBit the marketleading ransomware group as well as the exit scam by the AlphVBlackCat group pp But according to Wichman many companies do still pay and hope to pay quickly pp Youd be surprised he said Some companies they just want to pay it and get things done to get their data off the dark web  Others its a delayed response perspective they want negotiations to happen with the attacker while they figure out what happened pp Governments around the world particularly those involved in the Counter Ransomware Initiative have called on victims not to make extortion payments arguing they only fuel the criminal ecosystem and do not guarantee that encrypted material will be recovered or that stolen data will be deleted pp Semperis found that in around 40 of cases where a payment had been made victims were provided with corrupted decryption keys pp There is no regulation that can be put in place from a government entity that is going to solve the source of ransomware attacks until faster and more responsive measures are taken against the actual threat actors said Wichman pp Increased disruptions from law enforcement would provide an effective dump in the road added Wichman but wouldnt be the ultimate solution What this really comes down to is organisations need to assume theyll be breached be resilience and put the protections in place and make it harder for the attackers to get in ppAlexander Martinppis the UK Editor for Recorded Future News He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research InitiativeppPrivacyppAboutppContact Uspp Copyright 2025 The Record from Recorded Future Newsp