This report has been created following recent comments made by Australian Minister for Home Affairs and Cyber Security, Clare O’Neil, that, due to continual increases in ransomware attacks, the Australian government is now exploring options to ban companies from making ransom payments. 1 2
Based on these comments, this report sets out to examine three key questions:
1. If legislation to ban ransomware payments was introduced globally, what impact would this have on organisations?
2. How could governments effectively enforce such legislation?
3. How would the Ransomware as a Service (RaaS) market react and adapt to such legislation?
Throughout 2022, ransomware attacks continued to have significant impacts on organisations. While Australia observed a sharp rise in cyber-attacks and damaging data breaches, several major ransomware attacks were observed targeting a multitude of sectors globally3. This section summarises some of the most significant ransomware attacks observed in 2022.
• On 08 May 2022, Costa Rica declared a state of national emergency due to ongoing cyber-attacks against its government agencies.4 The attacks, conducted by the Conti ransomware group, compromised multiple government agencies, severely impacting the nation’s foreign trade by disrupting its customs and taxes platforms. Data stolen in the attacks appeared on Conti’s data leak site after the government failed to pay a ransom demand of USD 10 million.
• On 06 July 2022, security software giant Entrust published a statement detailing a significant ransomware attack by LockBit. Entrust stated that the threat actor had gained unauthorised access to certain systems used for internal operations.5 Following a breakdown in negotiations between the victim and LockBit, data stolen in the attack was published on the dark web. The leak included a series of screenshots of sensitive internal documents as well as a file directory with 703 folders, including data related to Entrust clients.
• On 13 October 2022, Australian health insurer Medibank suffered a major cyber-attack. Although Medibank identified and shut down the backdoors which were being used by the attackers to exfiltrate the data, 200GB was reportedly lost. This attack culminated in Medibank being listed to the Tor-based leak site of a group known as BlogXX. Interestingly, the leak site was previously used by the infamous REvil ransomware group. Following a refusal to pay the reported USD 10 million ransom demand, all stolen data was published to the dark web, containing 9.7 million customer records, including sensitive healthcare data.
• On 31 October 2022, LockBit announced it had attacked the French multinational high-tech electronics manufacturer, Thales.7The attack led to the leakage of 10GB of sensitive data to the Tor-based leak site of LockBit ransomware, likely following a refusal to pay the demanded ransom. This attack, as seen with the LockBit attack against Entrust, signifies the intent by ransomware actors to compromise organisations with a significant global client base and supply chain.
Ransomware is one of the most significant cyber threats facing organisations today. Since the mid-2000s, ransomware attacks have become increasingly widespread and audacious. Using a range of sophisticated techniques and attack vectors, ransomware groups are routinely inflicting considerable damage, both financially and reputationally. Companies worldwide are targeted, with victims spanning all industry verticals.
While it is near-impossible to calculate the overall cost of ransomware attacks globally, a report published in 2022 estimated the annual cost to business exceeded USD 20 billion, with observed attacks doubling in comparison to the previous year. 7 8 The deluge of attacks and the extent of their real-world impact is aided by continuous development of tooling and infrastructure, expanding ransomware groups’ capability, and increasing their ability to financially benefit from attacks.
Key trends include:
Ransomware-as-a-service (RaaS) – A commonly employed business model for modern ransomware groups. This model offers a platform or service to conduct ransomware attacks by providing the malware, infrastructure and technical support to affiliates who conduct ransomware attacks on behalf of a group. Affiliates then pay a portion of any ransom payments collected from the victim to the developers. This symbiotic relationship has proven highly lucrative for all involved. The introduction of the RaaS model has significantly lowered the barrier to entry for would-be attackers and has without doubt driven the recent surge in ransomware attacks.
Extortion Techniques – As ransomware has developed, extortion techniques leveraged by threat actors have also evolved:
• Extortion only: An extortion-only attack is conducted by threat actors attacking a target network with the sole aim of exfiltrating sensitive files which can be used to extort a victim into paying a ransom. Unlike double and triple extortion attacks, files are not encrypted on the victim network.
• Double extortion: In a double extortion attack, threat actors encrypt a victim’s files while simultaneously threating to expose data exfiltrated from a victim’s network. Through this technique, ransomware actors apply additional pressure to the victim with the threat of significant reputational damage caused by exposure of sensitive data. In cases where a significant amount of client or supply chain data is exfiltrated from the victim’s network, this potential data exposure greatly increases the likelihood of successful ransom negotiations and payments for attackers.
• Triple extortion: Beyond merely encrypting and exfiltrating data from their victims, ransomware groups are also now increasingly adopting triple extortion techniques that see them attempt to apply further pressure to the victim.9 This technique works by the threat actor approaching the victim's clients or supply chain and threatening to release data that may be relevant or sensitive to them as a way of forcing payment of the ransom, or through implementing features into their leak sites that allow them to start selling stolen data whilst negotiations are still ongoing.
Supply chain attacks – An increasingly common attack vector for ransomware groups, where organisations are compromised via an intrusion within their supply chain. The REvil ransomware attack on managed service provider Kaseya was a widely publicised example: in July 2021, REvil ransomware operators compromised Kaseya VSA servers. This attack led to the compromise of data from over 1,500 of Kaseya’s managed service clients, resulting in ransom demands totalling USD 70 million. 10
Initial Access market – Alongside the increasing ransomware threat, the initial access market has expanded year on year, fuelling and facilitating cyber-criminal activity. 11 Initial Access Brokers (IABs) and hackers alike profit from cultivating access into companies’ networks, which is then bought and exploited by threat actors and ransomware groups. In some cases, it is assessed that successful IABs work on retainer for ransomware gangs.
In the face of the increasing threat posed by ransomware attacks, collaboration between governments, the cybersecurity industry, and victim organisations is crucial. A comprehensive approach that includes legislative action and data protection measures is essential for effectively combatting the ransomware threat.
In the European Union (EU) the General Data Protection Regulation (GDPR) requires companies that suffer data breaches, including ransomware attacks, to report such events to relevant authorities within 72 hours. 12 This legal act also requires businesses to implement appropriate measures both technically and operationally to protect against data breaches, such as those caused by ransomware attacks. Since leaving the EU, the United Kingdom (UK) has incorporated these principles into UK law through the enactment of UK GDPR, which directly mirrors the EU guidelines. 13
In January 2023, the EU Digital Operational Resilience Act (DORA) and the updated Network Information Security Directive (NIS2) entered into force. DORA is a regulatory framework aimed at ensuring all financial entities and third-party suppliers can withstand, respond to, and recover from cyber-related disruptions. 14 DORA also emphasises the use of cyber threat intelligence sharing among financial entities and will require financial entities to undergo threat-led penetration testing. 15 Like DORA, NIS2 aims to improve resilience and incident response capabilities of both public and private sector organisations identified as critical to the well-functioning of society.16
Another piece of legislation worth mentioning is the upcoming EU Cyber Resilience Act (CRA), as proposed by the European Commission in September 2022. At the core of CRA is that manufacturers must consider cybersecurity from the design and development phase of the digital product by using secure-by-default configurations and avoiding known exploitable vulnerabilities. When entered into force, manufacturers, distributors and importers are required to notify ENISA within 24 hours if a security vulnerability in one of their products is exploited. 17
At a national level, several countries have invested in joint industry and government initiatives to increase situational awareness of cyber threats, including ransomware, and to reduce the impact of attacks.
• In the UK, the National Cyber Security Centre (NCSC) develops and promotes recognised standards for cyber security and offers detailed guidance on how to protect against ransomware intrusions.18 It works alongside law enforcement entities to arrest perpetrators and disrupt ransomware operations.
• The United States (US) Cybersecurity and Infrastructure Security Agency (CISA) has played a similar role to its UK counterpart, consistently producing reports on ransomware activity with a view to protecting individuals and organisations. CISA works in tandem with US federal agencies and international law enforcement to disrupt and arrest actors linked to ransomware activity.
• In Europe, the European Union Agency for Cybersecurity (ENISA) contributes to the EU’s cyber policy and aims to boost the resilience of EU infrastructure, as well as producing reporting to raise awareness on cyber-attacks, such as ransomware.19
In addition to industry initiatives, we are also now seeing governments opt for a more offensive posture to combat ransomware.
• On 08 November 2021, the US Department of Justice announced via a press release charges against Ukrainian national Yaroslav Vasinskyi in association with the July 2021 Kaseya supply chain attack conducted by REvil ransomware. The US Cyber Command also announced it had diverted traffic around servers being used by the Russia-based REvil ransomware group. 20
• On 02 November 2022, the Minister for Home Affairs and Cyber Security Clare O’Neil, announced Australia would Chair the International Counter Ransomware Task Force (ICRTF).21 The ICRTF operations are intended to enhance collaboration between its members (36 states and the EU), and between its members and key private sector partners, to combat the increasing ransomware threat. The task force, which officially began operations on 23 January 2023, aims to build cross-border resilience and collectively disrupt and defend against malicious cyber actors. 22 23 24
• On 26 January 2023, the US Department of Justice released a public statement following the seizure of the Hive ransomware data leak site.25 The release stated that the joint operation was part of a months-long disruption campaign to the ransomware groups computer network that started in July 2022. Detailing how their efforts have prevented a total of USD 130 million in ransom demands through issuing decryption keys to victims. Of the resources seized, the FBI claims to have collected Hive communication records, malware file hashes and information on 250 Hive affiliates. Additionally, the US Department of State used Twitter to publicly offer up to USD 10 million for information that could help link the Hive ransomware group to foreign state-sponsored activity used to target US critical infrastructure. 26
In order to recover illicit ransom payments, some governments have started to sanction cryptocurrency exchanges. For example, in September 2021, the US announced sanctions against cryptocurrency exchange Suex following accusations that it was enabling illegal payments from ransomware attacks. 27 Increased vigilance and regulation of cryptocurrency transactions and exchanges linked to illicit activity, including ransomware, is almost certainly a key objective for all governments taking a serious approach to tackling the spread of ransomware.
Recently, several further steps have been taken to regulate and crack down on illicit cryptocurrency transactions. In December 2022, the EU announced that anti-money laundering and combating the financing of terrorism (AML/CFT) rules will be extended to the entire crypto sector, obliging all service providers (CASPs) to conduct due diligence on their customers. In January 2023, the founder of the Hong Kong-based cryptocurrency exchange Bitzlato, Anatoly Legkodymov, was arrested and charged by the US Department of Justice. French authorities working with Europol seized and dismantled Bitzlato's digital infrastructure following an investigation which observed USD 9 million of transactions linked to ransomware payments.28
Whilst not a direct action to combat ransomware, many businesses have now chosen to include ransomware cover in their cyber insurance policies. These policies often include access to a dedicated incident response (IR) team, supplemented by the option to negotiate and pay ransoms demanded by attackers. However, this safety net is not all encompassing. As with most insurance policies, brokers are reluctant to make payments if the losses stemming from a cyber-attack are not easily quantifiable. Such policies also require the organisation to maintain standards of cyber security hygiene which if not adhered to, may result in the insurer refusing to pay. Insurance providers often refuse to pay for consequential losses, including reduced earnings and reputational damage, which are arguably the most impactful outcomes of a ransomware attack.
Despite the benefits ransomware policies bring to organisations, the financial impacts of attacks are continuing to rise, causing an increase in insurance premiums. Due to this, it is now more likely than ever that organisations may opt to accept the risk posed by ransomware when faced with having to pay a significant annual premium.
The following analysis considers the adoption of legislation banning ransomware payments by Western countries.
To explore the concept of legislation that would make paying a ransom illegal, it is important to consider both the positive and negative impacts of such a law. This section will address the following questions:
• What impact would this legislation have on organisations?
• How would governments effectively enforce such legislation?
• How would the RaaS market react and adapt to such legislation?
Legislation prohibiting the payment of ransoms to cyber-criminals would almost certainly elicit some positive outcomes, particularly in the short-term.
Revenue accrued by ransomware groups targeting entities in those nations that had implemented such legislation would likely reduce dramatically in the short to medium term. Companies that may have previously opted to pay a ransom would be more likely to comply with the legal ban to avoid regulatory or law enforcement scrutiny. These impacts would also affect the initial access market, which profits from the RaaS model.
It is assessed as highly likely that, were national legislation passed, ransomware groups would shift targeting to nations where legislation did not outlaw payments; however, a lack of ability to earn at the current level, i.e., targeting Western organisations, would have significant financial impacts for all criminal entities involved in this activity.
Most ransomware payments are made in cryptocurrency via a blockchain. The difficulty and costs associated with tracing crypto assets are likely to create enforcement difficulties for both public and private enforcement bodies. There is also the historically low regulatory burden on cryptocurrency exchanges to consider: not only do such exchanges hold limited personal data, but threat actors may also simply pivot to a new coin or exchange to circumvent any new regulations.
Recently, however, several steps have been taken to regulate and crack down on illicit cryptocurrency transactions. These actions include the previously mentioned anti-money laundering and combating the financing of terrorism (AML/CFT) rules and the seizure of illicit cryptocurrency exchanges.
Overall, successful implementation and enforcement of a ban on ransomware payments would likely prove a significant challenge for governments. Despite advancements in regulation and law enforcement activity linked to cryptocurrency transactions, there is still a significant lack of oversight when it comes to ransomware payments. Consequently, implementing legislation to prohibit ransom payments without suitable regulatory frameworks to trace and distinguish illegal cryptocurrency transactions, would pose a formidable task for governments in their enforcement efforts.
Hackers and ransomware groups continually demonstrate the capability to adapt to advancements in technology and law enforcement efforts. This observed pattern will almost certainly extend to a ban on ransomware payments.
One of the more obvious potential pivots by ransomware groups would be to abandon the ransomware model entirely and begin to conduct attacks purely to exfiltrate data to either extort a victim or sell to the highest bidder. They may also revert to ‘direct theft’ operations where they divert payments from company accounts and payment systems. This would allow groups to continue to conduct attacks without ever deploying ransomware and/or asking for a ransom, bypassing any new legislation completely. 29
Alternatively, ransomware groups with appropriate finances and infrastructure may simply shift targeting into geographies where legislation to ban ransomware payments does not exist. Companies within these geographies that are not subject to regulatory scrutiny are much more likely to be attacked by ransomware groups.
To compensate for revenue loss resulting from this anti-ransom-payment legislation, it is possible that ransomware groups may increase attack volume and target a greater number of smaller organisations instead.
There is also a realistic possibility that ransomware groups would stop publicly announcing breaches prior to negotiations, and instead contact companies directly to attempt to negotiate a ransom. This approach raises the potential for a new form of double extortion whereby breached organisations are threatened with exposure following any potential illicit payment.30 In this scenario, banning ransomware payments would be detrimental as ransomware groups’ activities would be forced further underground. While the new legislation may reduce financial income for the groups, the significant reduction in transparency of their activities may indeed work in their favour as trends such as targeting and modus operandi will become harder to track for defenders and law enforcement.
It is reasonable to conclude that, while banning ransomware payments may have an impact on the effectiveness of ransomware groups’ operations, the implementation and enforcement of such a law would be a challenge for governments to achieve. While further legislation intended to combat ransomware may lead to an overall reduction in attacks, monitoring and enforcement remains the real challenge. To support this action, alternative methods for effectively combatting ransomware should also be considered.
Based on recent evidence, one viable solution would be the continuation of offensive action against infrastructure and networks used by ransomware operators, limiting their ability to stage and conduct attacks. Law enforcement and the judicial system should continue to take a strong stance against cybercriminals by shutting down their infrastructure, pursuing their illegal funds, and recognising that a coordinated effort across multiple jurisdictions is necessary. Additionally, such actions could lead to the arrest and imprisonment of individuals linked to ransomware distribution; however, with a vast majority of threat actors residing in hostile states such as Russia, extradition may prove difficult.
Similarly, increased regulation of cryptocurrency and cryptocurrency exchanges would highly likely help to reduce the profitability of ransomware attacks. While this would be a long-term solution requiring significant international coordination, it would increase transparency of transactions and degrade ransomware groups’ ability to launder proceeds from their attacks. Governments would also be better able to monitor and regulate the flow of cryptocurrency, which in turn would limit threat actor opportunities to receive and retain funds to reinvest into future attacks. Further to this, governments should implement or enhance existing legislation for data protection, cyber resilience, crypto assets regulation, anti-money laundering and terrorist financing to combat ransomware.
Increased information sharing and coordination between countries and businesses is also vital to stem the flow of ransomware attacks. Intelligence sharing initiatives to identify and track ransomware groups, sharing of intelligence by victims, and joint law enforcement actions will prove pivotal in degrading the success of ransomware operations. Due to the global reach of ransomware, increased information sharing, and coordination is more important than ever to enhance the effectiveness of ransomware mitigation efforts.
In summary, while banning ransom payments would almost certainly be beneficial to organisations that fall victim to attacks, based on the aforementioned difficulties associated with implementation and enforcement, such legal action may not be the optimal solution at this time. Another issue is the proven capability and intent by threat actors to develop and adapt to law enforcement changes, suggesting that ransomware attacks would continue even if a ban were to be implemented. Nevertheless, the ongoing discussion around combatting ransomware is an encouraging signal for the future of the global cyber threat landscape. It may be that, in the long term, a ban will prove to be an effective solution if implemented alongside the alternative actions covered in this report.