Australia’s Response to the Rise of Ransomware

This post is also available in: 日本語 (Japanese)

Australia's Ransomware Action Plan

On October 13, the Australian Government released its Ransomware Action Plan, which identifies initiatives to address the rise of ransomware across key themes of prepare and prevent, respond and recover, as well as disrupt and deter. This Action Plan sits alongside the Australian Government’s 2020 Cyber Security Strategy, which saw a record investment of more than AU$1.6 billion dollars committed to cyber security over 10 years.

Ransomware on the Rise

The Ransomware Action Plan is a welcome measure to combat the rise of ransomware, which has grown from a cybercrime nuisance to a national security, economic and public safety risk.

The severity of ransomware has been highlighted by global events, including the shutdown of a major U.S. pipeline following an attack by one of the most prolific cyber extortion gangs. Data from the Palo Alto Networks Unit 42 threat intelligence team demonstrates just how rapidly the cost of these attacks is growing. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, this doubled to $30 million and the highest ransomware Unit 42 incident response team has seen this year was $50 million.

Adversary tactics are also becoming increasingly egregious with ransomware actors taking advantage of the COVID-19 pandemic, preying on healthcare organizations and other critical sectors with brazen attacks on operations crucial for saving lives. Attacks also targeted school districts, local governments, hospitals, manufacturing and critical infrastructure, like the pipeline operator.

Australia is not immune from this threat. In the 2020–21 financial year, the Australian Cyber Security Centre (ACSC) recorded a 15 percent increase in ransomware cybercrime reports. This increase is said to be associated with an increasing willingness of criminals to extort money from particularly vulnerable and critical elements of Australian society.

Prevention Is the First Step

Australia’s Ransomware Action Plan pursues a multi-pronged approach to combat ransomware, which is not only focused on helping organizations respond to ransomware attacks, but is also helping them better prepare for and prevent these attacks.

As the Ransomware Action Plan notes, “preparation and prevention are at the forefront of managing the risk of ransomware attacks.” To that end, the Australian Government has committed to providing advice for Australian businesses and supporting initiatives to actively prevent known malicious cyber threats from reaching Australian consumers and businesses.

As part of its preventative measures, we would encourage the Australian Government to develop a framework for ransomware prevention, in collaboration with international partners and the private sector. This is something that the international Ransomware Task Force (RTF), a 60+ organization public-private coalition launched in Washington DC in December 2020 (of which Palo Alto Networks is a co-chair), recommended to the U.S. Government in its April 2021 report. Such a Framework should highlight the security capabilities and best practices that, if adopted, would most significantly help organizations harden their posture against the rise of ransomware attacks. It should also consider the role of new and emerging technologies to more effectively prevent ransomware attacks.

Similarly, preventative measures can only be effective if organizations holistically understand their vulnerability landscape. No sector or industry vertical is immune to ransomware attacks. Governments are rightfully looking for ways to increase economy-wide resilience, as we have seen in Australia with the July 2021 release of the Government’s paper, Strengthening Australia’s Cyber Security Regulations and Incentives Discussion. As laws and regulations are considered, we should first take an accurate inventory of the size of our digital attack surface and where we’re most vulnerable. Since we “can’t see what we can’t see,” it’s imperative we use all available tools to gain visibility from the attacker's perspective. To keep pace with the speed of the ransomware threat, security technologies need to leverage automation and advanced analytics to flag modifications to files and automatically prevent the ransomware encryption process. Existing and emerging technologies include Endpoint or Extended Detection and Response (EDR/XDR) with automated behavioral analytics, fileless protections and deceptive technologies. These stage objects as decoys, which are all under-utilized and effective tools for ransomware prevention.

Deploying Government Tools to Disrupt and Deter

As Australia’s Ransomware Action Plan notes, the Government will continue to leverage all instruments of national power to combat the ransomware threat and raise consequences for attackers. We welcome the Ransomware Action Plan's focus on modernizing Australia’s laws to ensure law enforcement is able to investigate, prosecute and reduce the financial incentives of further attacks by tackling cryptocurrency transactions associated with the proceeds of ransomware crimes.

We also note that international cooperation is key in tackling ransomware and cybercrime more broadly. Cybercrime traverses traditional nation state boundaries — victims and perpetrators frequently located in multiple jurisdictions. As a result, combating cybercrime often relies on strong cyber threat intelligence sharing, as well as international cooperation and mutual assistance across law enforcement agencies of numerous countries. We support the Ransomware Action Plan’s focus on joint operations with international counterparts to strengthen shared capabilities to detect, investigate, disrupt and prosecute malicious cyber actors.

Alignment of Incident Reporting Requirements

The Ransomware Action Plan notes that the Australian Government intends to create a mandatory reporting regime, which would require businesses with an annual turnover of more than $AUD10 million or more to report when they are hit by a ransomware attack. We appreciate that better reporting of cyber incidents, including those that might be related to ransomware attacks, can help establish a clearer national picture of the cyber threat landscape. In-turn, this can enable appropriate responses and investments from both Government and industry.

We would encourage any incident reporting regime established per this Ransomware Action Plan to have timelines that align with global best practices. The required timelines should commensurate with incident severity levels, but allow for at least a 72-hour reporting window after an entity has confirmed there has been an incident. Anything shorter is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to and remediating a cyber incident. Shorter timelines also greatly increase the likelihood that the entity will report inaccurate or inadequately contextualized information that will not be helpful, and can potentially be harmful by undermining cybersecurity response and remediation efforts.

It will also be important that any ransomware incident reporting requirements align with other reporting requirements already leveled on industry, for example those under the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the notifiable data breaches requirements under the Privacy Act 1988. To avoid confusion and create efficiencies, it will be important that these reporting obligations are aligned and industry can report all cyber-related incidents to one Government agency, leveraging the same format where possible.

Time for A National Clean Pipes Strategy

The Ransomware Action Plan emphasizes the need to prepare for and prevent ransomware. The Australian Government has flagged that they will take action to become a hardened target for criminals seeking to disrupt and profit from Australian businesses and individuals. As part of these measures, we would encourage the Australian Government to adopt a national “clean pipes policy” to stop the economic loss associated with cybercrime and the impacts of a widespread cyberattack. The 2020 Cyber Security Strategy noted the importance of businesses, particularly telecommunications providers, automatically blocking known malicious threats to protect Australians and Australian businesses at speed and scale. The adoption of a national clean pipes policy would help provide all Australian businesses and citizens with a level of protection from a range of cyber threats, including those that are conduits for ransomware attacks. We applaud the Australian Government for its October 2021 launch of the Australian Protective Domain Name Service (AUPDNS), a new service that allows the Government to block malicious web traffic. This is a welcome first step in improving Australia’s national resilience. At the same time, we believe additional steps are necessary for a more robust clean pipes approach to more fully protect the Australian economy by blocking threats at scale across all levels of our economy.

Public-Private Partnerships Are Key

Finally, we support the Ransomware Action Plan’s reference to the fact that “successful implementation of this Plan relies on close partnerships across industry and governments.” The operationalization of public-private partnerships will be key in combating the rising threat of ransomware.

Close collaboration between cybersecurity providers (who have robust threat intelligence about ransomware actors’ online activities) and cloud and telecommunications providers (whose infrastructure ransomware actors use to propagate attacks) is critical to disrupting successful ransomware attacks and imposing real costs on our adversaries.

The Australian Government may want to consider how it can build on and expand the ACSC Partnership Program to further operationalize public-private partnerships. For example, forums like DHS’s Joint Cyber Defense Collaborative — a new hub for public-private sector joint cyber defense operations — have the potential to provide a new model for threat sharing and operational disruption of ransomware actor operations.

Palo Alto Networks stands ready to support the Australian Government in delivering on this Ransomware Action Plan. As co-chair of the international Ransomware Task Force, Palo Alto Networks has demonstrated our commitment to supporting both policy and operational conversations with Governments around the world. We look forward to learning more about how industries can support this Ransomware Action Plan and working with the Australian Government to combat the rising threat of ransomware.