The number of ransomware incidents affecting local organisations increased by 24 per cent in the first six months of 2021, according to data from the Office of the Australian Information Commissioner’s (OAIC) latest notifiable data breaches report.
Unfortunately, not every company hit by ransomware reports the incident to the OAIC, with the office admitting “a number of entities” deciding they didn’t have to notify the OAIC of a ransomware event due to “lack of evidence” that attackers accessed data.
Information and Privacy Commissioner Angeline Faulk lamented this fact at the report’s release last month.
“The nature of these [ransomware] attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated,” Falk said.
“Because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.”
Perhaps more alarming is the fact that global ransomware events decreased in the first quarter of 2021, according to cyber security McAfee’s June Threat Report, with that global decrease falling inside the same period when Australian ransomware notifications jumped.
Raj Samani, McAfee’s Chief Scientist, said the overall drop in ransomware events corresponds to a strategic change from ransomware perpetrators.
“Ransomware has evolved far beyond its origins,” Samani said.
“This shift was an evolution away from mass-spread ransomware attacks with low returns to human-operated ransomware attacks campaigns that target fewer but larger organisations which in turn deliver more lucrative results.”
To pay or not to pay
Over the last few years, groups spreading this malicious software have adapted their business model to maximise profits by running affiliate programs with independent hackers who are paid a share of the ransom they squeeze from victims.
Ransomware has thus moved away from the spray-and-pray technique that saw WannaCry terrorise the world, to a more focused and deliberate approach, exploiting weaknesses and finding targets that will have a higher return on investment.
These cyber criminals have also gone from merely locking systems down to full-on extortion rackets, exfiltrating data and posting snippets on dark web leak sites for the world to see.
Pay up or the hackers will keep dumping your sensitive data online, potentially opening you up to all manner of risk and liability.
Advice from government cyber security agencies is simple: don’t pay the attackers because, like reacting a schoolyard bully, paying the ransom will only encourage them.
But for ransomware gangs, business is good – especially if they go after Australian businesses.
Shane Bell, a digital forensic specialist with consulting firm McGrathNicol, said his experience suggests a lot of successful attacks end with money being sent to attackers.
“People are absolutely paying these ransoms,” he said.
“I would say the odds are at least 50-50 – or even more now – that people are making these payments after being hit.
“There are a lot of these attacks happening but it’s just not public and so it’s hard to find statistics.”
When US security firm Crowdstrike surveyed senior Australian IT professionals for its 2020 Global Security Attitude Survey, it found 33 per cent of those who admitted to falling victim to a ransomware attack said they paid the ransom – that’s six percentage points higher than the global average.
On average, those companies made payments of $1.25 million to the attackers.
Sadly we may never know the true extent of ransomware in Australia because of how cagey businesses tend to be when they’re attacked.
It’s an issue Labor tried to address when Shadow Minister for Cyber Security Tim Watts introduced a private member’s bill to parliament in June.
Under Watts’s scheme, organisations that made a ransom payment would be required to report the incident to the Australian Cyber Security Centre or risk a hefty fine.
We can all do better
Bell thinks Australia needs a cultural shift to better prepare us for cyber security problems like ransomware.
“There’s a lot of work that corporate Australia needs to do around building resilience and planning for this as an issue,” he told Information Age.
“People still think it won’t happen to them and therefore they don’t contemplate the very likely scenario that they will one day be victims.”
The government is considering ways to force greater accountability on company directors by making them more liable for cyber security incidents.
It is also trying to fully gain control of systems it deems part of ‘critical infrastructure’ during a cyber event through legislation that will reform existing critical infrastructure protections.
But Bell thinks there should also be scope for government agents to conduct offensive campaigns against ransomware perpetrators – echoing actions from the US Federal Bureau of Investigations (FBI) which successfully took back 63.7 bitcoins paid during the Colonial Pipeline ransomware attack.
“There should be some sort of mechanism that targets organised crime online – whether that’s weaponising the ASD or building capability into law enforcement to takedown the attacker’s infrastructure,” he said.
“We need some ability to fight back or deter attackers because at the moment this isn’t an equal fight.”