Cyber extortion payments arise when there is a ransomware attack — when malware has been released in a computer and/or an actor has stolen private information, explained Ms Tan.

The “threat actor” then orders a ransom payment in order for the data to be released, she said.

Ms Tan highlighted that governments around the world are taking a stance on companies and individuals agreeing to pay a ransom.

“What the governments are afraid of is that by paying, you are fuelling this industry because you are giving the threat actors what they have been asking for,” she explained. 

“Once they get financial gain, that is what allows them to continue to operate.”

“The hope is they can remove the incentives for ransomware attacks and cyber extortion.”

This strategy is seen as “the most direct way that the government can influence the returns received by ransomware criminal gangs for targeting Australian organisations”, she noted.

VIEW ALL

This is because “it’s so hard to prosecute these cyber criminals”, she noted, “it’s often difficult to locate the perpetrator — they might be in another jurisdiction, they might be underground, difficult to pin down, so it’s a difficult route to try to prosecute them”.

In Australia, it is not illegal to pay a cyber ransom, Ms Tan outlined, although the government’s position and the Australian Cyber Security Centre’s (ACSC) advice is don’t pay the ransom.

However, certain prohibitions on cyber ransom payments exist due to a suite of different laws, including anti-money laundering laws and the Counterterrorism Financing Act and also sanctions laws, both domestic and international.

“These laws come into play to prevent you from paying an extortion payment, particularly when you know the identity of the threat actor, for example, it’s a sanctioned entity, or it’s from a sanctioned country or the purpose of the use of the ransom payment is known,” she explained.

“For example, if you are aware that it’s an instrument of crime or you know it’s funding terrorism or money laundering.”

There also exist laws around the act of cyber extortion, yet there remains a gap in the law for paying cyber ransom, Ms Tan commented.

“There is, at state and federal level, offence for extortion, and there are various links to you making a threat or demand of blackmailing you for property you possess,” she said, yet, “it’s not tailored to the cyber situation we’re facing at the moment”.

However, Ms Tan continued, the situation is fraught with risk when an organisation chooses not to pay.

If an organisation’s policy is never to pay, they may need to deal with the consequences of not paying — and the consequences can be drastic, she noted.

Ms Tan highlighted two examples of where the consequences of not paying were exceptionally drastic. 

In 2019, in the US, she outlined, there was a hospital that suffered a ransomware attack that caused the entire IT system to go down, which resulted in the prevention of fatal heart rate monitoring. This led to the death of a baby, and litigation commenced by the mother. Another case — the BlackCat ransomware attack — stole data from a Pennsylvania healthcare facility and sensitive photos of breast cancer patients disrobed.

The facility decided not to pay, and the photos were leaked, which was devastating for the patients.

“If your policy is not to pay, then you need to deal with the consequences of it, one of them being possible class actions,” Ms Tan highlighted.