The Australian government is considering making the payment of ransoms to cyber threat actors a criminal offence. Should the UK follow suit?

The announcement follows multiple high-profile attacks affecting the country including a recent ransomware attack against Medibank.

The debate on whether to pay ransoms to cyber threats has been prevalent since ransomware became established within the threat landscape.

However, Australia is now looking to take steps to end that debate by criminalising ransom payments to cyber threat actors. This movement follows a flurry of positive and negative ransomware activity related to Australia during the past month:

• Insurance company Medibank were victim of a ransom demand in return for the data of 9.7 million customers. At the time of writing, Medibank have openly refused to pay and therefore, the threat group responsible have posted data on the dark web including private medical information.
• 36 countries met for the Counter Ransomware Initiative. The conference formed the International Counter Ransomware Task Force (ICRTF), which will be led by Australia to disrupt global ransomware operations.
• Home Office Minister Clare O'Neil announced a joint operation between the Australian Police and Signals Directorate (Australia's Intelligence Service) against cyber-criminal syndicates.

The legislation is intended to remove any option of paying a ransom and encourage more victims to report such incidents.

However, there is a risk that victims will hide cyber incidents from the increased scrutiny. The movement also likely creates a new extortion method; should a victim pay their ransom they will have broken the law, something a threat actor can leverage for further payments.

There is also a realistic possibility that the legislation may have the unintended effect of driving ransom payments underground.

In early October, the Chief Security Officer for Uber was found guilty of criminal obstruction when he failed to report a cybersecurity incident and attempted to hide a ransom payment within a bug bounty payment (rewards paid to ethical hackers for disclosing security issues).

Tougher legislation could encourage future victims to find equally creative ways to escape ransom.

At this time, it is unclear whether the legislation will have the intended effect of reducing ransom payments and increasing reports of crime.

Australia are taking the toughest stance to ransomware compared to its peers, and its success will likely come down to how future victims and threat actors react to the shift in landscape.

The UK have not explicitly outlawed the payment of ransoms to cyber threat actors. In a similar model to the US, the UK has a list of sanctioned groups that entities may not engage with and doing so would be considered unlawful.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).