Share this article on:
The government has revealed that a ban on ransomware payments will happen, but it won’t for at least two years as more groundwork needs to be laid.
The notion of banning ransomware payments altogether became a keen topic of discussion in the aftermath of the Latitude Financial cyber attack back in March, with leaders of industry asking whether an outright ban was the right solution during a consultation for the 2023–2030 Australian Cyber Security Strategy (ACSS) earlier in the year.
Speaking with ABC Radio National’s Patricia Karvelas, Minister for Home Affairs and Cyber Security Clare O’Neil said she does support a ban on ransomware payments as they feed cyber criminals, but she added that now is “clearly not the right time,” as more had to be done prior.
“The payment of ransoms at the moment is effectively businesses around the world funnelling millions and millions and hundreds of millions, probably billions of dollars into criminal gangs who reinvest that money back in their capability,” said Minister O’Neil.
“So every time a ransom is paid, we are feeding the cyber crime problem. Now, we are in a situation in our country where it is clearly not the right time at this moment to ban ransoms, and that’s because we haven’t done the hard work.
“We don’t have, for example, a Federal Police force that’s properly resourced and properly equipped to deal with this problem, and we solve part of that problem in the strategy.
“We don’t have a proper system of support for companies that are undergoing cyber attack, and we solve that problem in the strategy.”
Despite the former cyber security coordinator Darren Goldie calling it a mistake not to ban ransomware payments as part of the ACSS, Minister O’Neil said that the first stage or horizon of the strategy is about developing an understanding of the current state of national cyber security, before revisiting the idea of banning ransomware payments, a move she said is unavoidable.
“My plan for the country on ransoms is that we undertake what is the first two years of this strategy, and then we revisit where we are then and contemplate what I think is inevitable for countries around the world, and that is one day a ban on making ransomware payments.
“We just can’t feed cyber crime like this.”
The pros and cons of an outright ban on ransomware payments have been discussed at large throughout the year.
As Minister O’Neil has said a number of times, paying a ransomware payment only fuels a cyber crime syndicate, allowing it to reinvest the funds and become a stronger force. Organisations that pay ransom also paint a target on their heads as groups willing to pay, making them attractive to threat actors for repeated attacks.
Paying a ransom as a method of recovering or decrypting data is also not a guarantee, as businesses are negotiating with criminals who may provide false proof that data is deleted or just not hold their end of the bargain. That being said, even these criminal organisations have reputations to uphold, and if they are known for double-crossing victims once ransom is paid, they won’t be paid in the future.
On the other hand, a ransomware payment ban could have dire consequences. For example, if a healthcare institution has its infrastructure attacked, resulting in encrypted systems, power outages or other major hindrances, not having a quick solution could have a fatal outcome, with hospitals then unable to access vital patient information or unable to run crucial life-saving machinery.