iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A new push for the payment of cyber ransom demands to be outlawed has emerged from the rubble of the Latitude hack, as industry leaders call on the government to introduce penalties to companies that pay hacker demands.
Both the federal government and industry experts are commending Latitude’s stance against paying threat actors ransom payments, a decision that the financial institution made on Tuesday (11 April).
“We will not reward criminal behaviour, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen,” the company said in a statement.
“In line with advice from cyber crime experts, Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks.”
Alongside a number of penalties introduced to punish companies that suffer serious data breaches, Cyber Security and Home Affairs Minister Clare O’Neil has previously suggested the idea of preventing businesses from buying their way out of trouble when affected by a cyber attack.
“The idea that we’re going to trust [hackers] people to delete data that they have taken off and may have copied a million times is just frankly silly,” said Minister O’Neil.
“We’re standing strong as a country against this, we don’t want to fuel the ransomware business model.”
Suggestions made following a review of Australia’s cyber security strategy led by former Telstra chief executive Andy Penn have pushed Minister O’Neil to consider outlawing ransomware payments.
The minister took to Twitter following Latitude’s decision not to pay ransom, to reiterate her concerns with ransomware actors and her hope to make Australia “the most cyber secure country by 2030”.
Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model.
— Clare O'Neil MP (@ClareONeilMP) April 11, 2023
They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals.
The Australian Cyber Security Centre (ACSC) recommends that ransom demands following a ransomware attack should never be paid, as there is no guarantee that the hacker will live it to its end of the deal and delete the data, rather than return or decrypt it.
However, paying ransom is still legal and can be covered under insurance, posing little financial threat to organisations.
Now, leading cyber experts and industry executives are calling for the government to make paying threat actor demands illegal.
CyberRisk director of cyber security Wayne Tufek weighed in, telling The Australian that “making ransom payments illegal would act as a deterrent for criminals to continue attacks if they know that they won’t be paid large sums of money”.
“Would it stop the crime, maybe; however, the information they steal still has value in the criminal world to perpetrate identity theft, for example,” Tufek said.
While paying ransomware payments is not currently illegal, organisations have alternatives.
No More Ransom is an organisation encouraging businesses not to pay attackers by providing them with decryptors and working with both law enforcement and the private sector.
“We’ve got 163 decryptors on there. We won’t ask for your email address. We won’t track you in any way shape or form,” said Raj Samani, founder of No More Ransom and Rapid7 senior vice-president and chief scientist.
“We collaborate and work together to basically tell the whole world don’t pay ransom; here is another choice, and we will give you free decryptors.”
To date, No More Ransom has prevented over a billion dollars in ransomware payments.
Be the first to hear the latest developments in the cyber industry.
