Australia has become the first country globally to require victims of ransomware attacks to report any extortion payments made to cybercriminals. This new law, introduced on Friday, targets organizations with an annual turnover exceeding AUS $3 million (approximately $1.93 million) and certain entities operating within critical infrastructure sectors. The legislation is anticipated to affect around 6.5% of registered businesses in Australia, encompassing nearly half of the nation’s economy.
Victims are required to inform the Australian Signals Directorate (ASD) of any payments made within a 72-hour window. Noncompliance could lead to severe penalties, with offenders facing fines of up to 60 penalty units under Australia’s civil penalty regime. The government has stated that it will prioritize “egregious” violations while initially seeking a more collaborative approach with victims, transitioning to stricter enforcement mechanisms by the start of next year.
The mandatory reporting system is strategically designed to enhance the ASD’s understanding of the ongoing ransomware threats, as officials expressed concerns over the previously underreported nature of these cyber incidents. Government reports indicate that as few as one in five ransomware victims currently disclose their attacks, significantly obscuring the overall economic and social impacts of these crimes within Australia.
This legislative framework follows a surge in cyberattacks against prominent Australian businesses, such as Optus, Medibank, and MediSecure. Meanwhile, discussions are also underway in the United Kingdom regarding similar bans on extortion payments for public sector bodies.
Experts, including Jeff Wichman from Semperis, caution that while this mandatory reporting could provide authorities with valuable data about attacks, it is unlikely to detour cybercriminals. He noted that companies often prioritize quick payments to recover their data, irrespective of legislative measures. A significant portion of surveyed firms, amounting to over 70%, report making payments after ransomware incidents.
Despite recent indications from Chainalysis of a global decline in ransomware payments, industry insiders remain skeptical about the efficacy of regulatory measures alone in combating the issue. Wichman opined that organizational resilience and enhanced law enforcement action against cybercriminals are crucial for effectively addressing ransomware threats.