Australia considers ransomware payment ban, additional Medibank files leaked

The Australian government has said it is considering the introduction of legislation that would ban companies from paying ransom demands set by hackers in ransomware attacks.

In an interview on Australia’s ABC, home affairs minister Clare O’Neil said that there are “some really big policy questions that we’re going to need to think about and consult on, and we’re going to do that in the context of the cybersecurity strategy”.

When directly asked if the government could seek to bar companies from providing threat actors with ransom payments, O’Neil responded “that’s correct”.

O'Neil's comments come in the wake of a series of high-profile cyber attacks on Australian private sector businesses that left millions of its citizens' records exposed.

Medibank is the latest of eight high-profile Australian firms to be hit by ransomware attacks, having disclosed on 19 October that it had been hit by a cyber attack now believed to have affected 9.7 million past and present customers.

Other attacks include one against telco giant Optus, affecting 10 million Australians, and a service used by the Australian Department of Defence.

The REvil ransomware group has claimed responsibility for the Medibank attack, posting stolen data on its leak blog in numerous stages. Records belonging to an additional 500 Medibank customers were posted on 13 November, including their names, addresses, email addresses, and unique customer numbers.

In a post on the REvil blog, the group taunted Medibank, stating “we warned you, we always keep our word, if we wouldn't receive a ransom - we should post this data, because nobody will believe us in the future.” In the same post, it was announced that the next batch of data will be posted on Friday.

When it first reported the attack, Medibank indicated that it was negotiating with the hackers behind the attack, while trying to ascertain if data had been stolen.

However, since establishing the scale of the breach, the firm has refused to make a ransom payment to the group behind the attack, stating that cyber security experts have said it is unlikely that the threat actor would remain true to their word in returning unpublished data.

The REvil group has long been a threat to businesses, and has claimed attacks against Kaseya, and August's attack on the Midea Group. It was the subject of a series of mass arrests in November 2021 carried out by the US Department of Justice, Interpol, Europol, and authorities from Romania alongside 17 other countries, after which its activity seemingly shut down before resuming activity in mid 2022.

Along with the medical data that it is threatening to continue posting, REvil claimed to have access to “source codes, list of stuff, and some files obtained from medi filesystem from different hosts”. Along with Medibank customers, the attack is believed to have affected customers of Medibank’s subsidiary Ahm, as well as a number of international customers.

What action can the Australian government take?

“The Medibank breach has taken Australia by storm, so it is not surprising the government is analysing how to handle cyber incidents moving forward, but isolated knee-jerk responses will only make the problem worse,” said Jordan Schroeder, managing CISO at security service Barrier Networks.

“Banning ransomware payments would be a move to make attacks on Australian organisations less attractive to cyber criminals, but it won’t stop them entirely. Attacks will still occur and in these situations, companies would have absolutely no chance of recovery, which will potentially cost more than a ransom demand.

“Furthermore, making ransomware payments illegal in one jurisdiction could push the payment of ransomware underground, which will hide these crimes and make coordinated responses with law enforcement difficult, or it could even force companies to use third parties in other jurisdictions to make payments on their behalf, which will not solve the problem.

“A better focus for the Australian government just now could be on equipping organisations with better defences against ransomware. This would include raising awareness around cybercrime techniques and introducing legislation on minimum cybersecurity requirements for businesses.”

Following the attacks, the Australian government has also formed a task force, composed of officers from both the AFP and the Australian Signals Directorate (ASD), the federal agency responsible for intercepting and extracting information from foreign electronic communications. This will hunt cyber criminals on a permanent basis.

Additionally, the maximum data breach penalty will be increased for repeated or serious privacy breaches in Australia. The former ceiling of AU$2.2 million will rise to the greatest of $50 million (AUD), three times the value of benefits obtained through the improper use of data, or 30% of an accused company’s adjusted turnover across a defined period.

Data breaches should be prevented as a matter of course within companies as a result of proper data protection policies and procedures, rather than simply to avoid fines. In addition to the legal and ethical ramifications of improper data handling, processing, or disposal, companies that engage in bad practice will incur a great deal of reputational damage.