The Information security and industry experts reacted below on the news that the Australian government looking at outlawing ransomware payments to hackers.
The proposal from the Australian government on banning ransomware payments is sound as it’d hit ransomware operators where it hurts – their wallets. We surveyed 1500 security professionals last year – including over 300 UK respondents – to find out their attitude towards paying ransoms. Over a third of UK respondents (37%) would pay a ransom if compromised, which is in line with the global figure (also 37%). However, 62% in the UK said they’d pay a ransom if they had to publicly admit it, above the global average of 57%. This suggests that such laws impact decisions on whether or not to pay ransoms.
However, the harsh reality is that even if businesses pay ransoms, there is no guarantee that their data will be returned as hackers are increasingly following through with extortion threats regardless. 35% of ransomware victims who paid the ransom were unable to recover their data, and 18% of ransomware victims who paid the ransom had their data exposed on the dark web. Paying ransoms is clearly no longer the fail-safe it once was, so businesses should use this proposed law as a wake-up call to address the problem at its root and strengthen their security posture.
It’s also worth bearing in mind that if ransom payments are banned, this won’t end cybercrime, as it will force threat actors to change their tactics. Ransomware gangs target other locations without regulations in place, or they may try alternative methods of generating revenue. Selling stolen machine identities, such as code-signing certificates, is a potential pivot. We’ve seen these sell for significant value on the dark web, and threat groups like Lapsus$ regularly use them to carry out devastating attacks.
This is pretty intriguing that the Australian government would be so bold to try and ban ransomware payments. I think if they understood the fundamentals of crypto (at least bitcoin), they would find that they decidedly can’t ban it or stop any payments. The only way a company would get caught paying a ransom is if they reached out the government for help so this would encourage companies to share even less about breaches to the governments.
If a company decides to just take the governments advice of “just don’t pay it” then the company would be forced into a position where as soon as they are breached, they need to communicate to the data privacy governing laws within their strict timetables with disclosure to the public or face fines that rival the ransom amount itself. This is why paying the ransom will always hold some appeal to organizations as they can keep the breach quiet by paying the ransom and “sweeping it under the rug” to prevent knowledge of the breach.
If organizations are effectively banned from paying ransoms, then the criminals would be forced to “call their bluff” and publish the hacked data on leak sites on the dark web.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics