Australia takes steps towards the mandatory reporting of ransomware payments

Author: Sarah Birkett

A private member’s bill has been introduced in Australia that would require the mandatory reporting of ransomware payments by applicable Australian entities.

The Ransomware Payments Bill would require any business or Commonwealth Government entity which makes a ransomware payment to notify the Australian Cyber Security Centre (ACSC) with details of:

  • the identity of the attacker, or any information known about the identity of the attacker;
  • the cryptocurrency wallet etc. to which the payment was made;
  • the amount of the ransomware payment; and
  • any indicators of compromise known to the reporting entity.

The Bill applies to any ransomware attack which affects data, computers or other devices located or used in Australia, regardless of where the entity making the payment is based.  No specific time periods are specified for notification and fines of up to AUD222,000 would apply for failure to report.

Reported incidents will be used to assist law enforcement efforts, inform Government policy and will be shared throughout the private sector (on a de-identified basis) via the ACSC’s threat sharing platform.

The explanatory memorandum to the Bill describes ransomware as the “highest cyber threat” facing Australian businesses, with an estimated cost to the Australian economy of AUD1 billion in 2019 alone.

The Bill has been introduced in light of a series of high profile ransomware attacks in recent months, including those in respect of JBS Foods (which employs 11,000 individuals in Australia) and Nine entertainment, an Australian free-to-air television channel.

The ACSC’s current advice to Australian businesses is that ransoms should not be paid – for more information see here. Voluntary notifications of ransomware attacks to the ACSC are encouraged.