The Times Australia
The Times World News

.

Australia is considering a ban on cyber ransom payments, but it could backfire. Here's another idea

  • Written by Jeffrey Foster, Associate Professor in Cyber Security Studies, Macquarie University
Australia is considering a ban on cyber ransom payments, but it could backfire. Here's another idea

First Optus, now Medibank; in less than two months we’ve experienced two of the largest personal data breaches in Australia’s history. In both cases the hackers attempted, and failed, to extort a ransom in exchange for not releasing personal data.

So far the Optus hackers have released only a small sample of data, and claim to have deleted the rest[1]. On the other hand, the Medibank hackers have released the records of more than one million people – and have threatened to release more data on Friday[2].

Read more: Medibank hackers are now releasing stolen data on the dark web. If you're affected, here's what you need to know[3]

With this looming threat, the Australian government is looking to bolster its cybersecurity defences — including through a taskforce set up to retaliate against[4] the Medibank hackers.

Minister for Cyber Security Clare O'Neil has said the government is also considering making ransom payments to cybercriminals illegal[5]. The idea has picked up steam – but would this cure be worse than the disease?

The response to the Medibank hack

The group behind the latest Medibank hack, currently being called “BlogXX”, has been linked to Russian cybercriminal organisations[6] by the Australian Federal Police. It has known links to the notorious REvil cyber gang[7] (which was dismantled by[8] Russia’s Federal Security Service in January).

Large-scale cybercriminal gangs are able to extort high ransom payments from their victims. During REvil’s arrest[9], authorities seized the equivalent of A$12.8 million in cash, $7 million in crytpocurrency and 20 luxury cars.

There are multiple ways to decrease the profitability of data breaches for criminal organisations. The first is to make hacks more difficult, making it more time-consuming for the hackers to break into computers.

This could be achieved by increasing fines for organisations that fail to follow best practices in cybersecurity – a privacy reform that[10] was recently introduced in Australia and has passed through the lower house.

A second potential solution is to make ransomware payments illegal in Australia. Under some circumstances, it may already be illegal[11] for Australian organisations to pay a ransom, such as if the payment funds further criminal or terrorist activity of groups under sanction by the United Nations.

However, the attribution of cyberattacks[12] is difficult, and it’s not always possible to know whether paying a particular group would be a crime. An organisation may pay a ransom, only to find out much later it has broken the law.

When banning ransom payments works

The idea of banning ransom payments isn’t new. In April, Nigeria criminalised ransom payments to kidnappers[13]. However, not paying kidnap ransoms in Nigeria has also resulted in deaths, which suggests this approach may end up punishing victims[14].

Still, survey results show citizens and cybersecurity experts are generally in favour of banning ransomware payments. In a recent survey of UK residents by security firm Talion[15], 78% of respondents from the general public supported a ban, as did 79% of cybersecurity professionals.

A ban on ransom payments could quickly reduce the profits racked up by criminal gangs targeting Australia.

In cases like the recent Optus and Medibank hacks, where the ransom was demanded to “not leak” sensitive information, banning ransom payments may be a good idea. It could take the burden of making a decision away from the organisation targeted, and mitigate the public’s judgment of that decision.

It would also reduce (but not entirely remove) the possibility of criminals receiving ransom payments – and therefore make their operations less profitable.

The problems with a ban

However, unlike the Optus and Medibank breaches, many ransoms are paid to unlock encrypted computers. Some ransomware attacks involve the hackers encrypting all of the computers, data and backups a company has. Failing to restore those data can, in many cases, cause the business to collapse.

In such instances, banning ransom payments may discourage organisations from declaring breaches. They may pay the ransom to be able to move on with business – even if it is a crime. Should this happen, it would reduce the overall transparency of reporting on breaches, and could lead to hackers blackmailing victims to not divulge the hack.

This particular concern has led the US Federal Bureau of Investigation to recommend to the US Senate Judiciary Committee to not ban all ransom payments[16].

For a ban on ransom payments to be effective, the penalties for paying the ransom would need to be more severe than the impact of the ransom itself. If the penalties are inadequate, organisations may simply pay the ransom and deal with the legal consequences so they can move on with normal operations.

An alternative solution

Cyberinsurance policies often provide reimbursement for ransomware payments. In fact, it’s a common tactic for cybercriminals to demand a ransom equivalent to the insurance reimbursement[17]. While this means the organisation suffers fewer losses, the cybercriminals still profit.

A more nuanced approach may be to ban cyberinsurance reimbursements for ransom payments, which would reduce the overall percentage of breaches that result in a payment. This could reduce profits for criminal gangs, while still allowing a company to salvage its operations under the worst-case scenarios.

The decision to ban or not to ban ransomware payments is complicated, and a blanket ban is likely to cause more problems than it fixes. We need change, but the best solution would be a case-by-case approach.

In the end, these kinds of cybercrimes are unlikely to be eradicated by any single policy change. They will require a wide range of policies, laws and regulations that each chip away at specific problems. If we do this, eventually the cost to criminals could outweigh the profits.

Read more: Budget 2022: $9.9 billion towards cyber security aims to make Australia a key 'offensive' cyber player[18]

References

  1. ^ deleted the rest (theconversation.com)
  2. ^ data on Friday (www.theguardian.com)
  3. ^ Medibank hackers are now releasing stolen data on the dark web. If you're affected, here's what you need to know (theconversation.com)
  4. ^ to retaliate against (www.sbs.com.au)
  5. ^ to cybercriminals illegal (au.finance.yahoo.com)
  6. ^ Russian cybercriminal organisations (www.abc.net.au)
  7. ^ REvil cyber gang (theconversation.com)
  8. ^ was dismantled by (www.bbc.com)
  9. ^ REvil’s arrest (www.bbc.com)
  10. ^ privacy reform that (www.theguardian.com)
  11. ^ already be illegal (www.homeaffairs.gov.au)
  12. ^ attribution of cyberattacks (www.wired.com)
  13. ^ ransom payments to kidnappers (www.aljazeera.com)
  14. ^ punishing victims (theconversation.com)
  15. ^ security firm Talion (talion.net)
  16. ^ ban all ransom payments (edition.cnn.com)
  17. ^ the insurance reimbursement (www.homeaffairs.gov.au)
  18. ^ Budget 2022: $9.9 billion towards cyber security aims to make Australia a key 'offensive' cyber player (theconversation.com)

Read more https://theconversation.com/australia-is-considering-a-ban-on-cyber-ransom-payments-but-it-could-backfire-heres-another-idea-194516

Times Magazine

Headless CMS in Digital Twins and 3D Product Experiences

Image by freepik As the metaverse becomes more advanced and accessible, it's clear that multiple sectors will use digital twins and 3D product experiences to visualize, connect, and streamline efforts better. A digital twin is a virtual replica of ...

The Decline of Hyper-Casual: How Mid-Core Mobile Games Took Over in 2025

In recent years, the mobile gaming landscape has undergone a significant transformation, with mid-core mobile games emerging as the dominant force in app stores by 2025. This shift is underpinned by changing user habits and evolving monetization tr...

Understanding ITIL 4 and PRINCE2 Project Management Synergy

Key Highlights ITIL 4 focuses on IT service management, emphasising continual improvement and value creation through modern digital transformation approaches. PRINCE2 project management supports systematic planning and execution of projects wit...

What AI Adoption Means for the Future of Workplace Risk Management

Image by freepik As industrial operations become more complex and fast-paced, the risks faced by workers and employers alike continue to grow. Traditional safety models—reliant on manual oversight, reactive investigations, and standardised checklist...

From Beach Bops to Alpine Anthems: Your Sonos Survival Guide for a Long Weekend Escape

Alright, fellow adventurers and relaxation enthusiasts! So, you've packed your bags, charged your devices, and mentally prepared for that glorious King's Birthday long weekend. But hold on, are you really ready? Because a true long weekend warrior kn...

Effective Commercial Pest Control Solutions for a Safer Workplace

Keeping a workplace clean, safe, and free from pests is essential for maintaining productivity, protecting employee health, and upholding a company's reputation. Pests pose health risks, can cause structural damage, and can lead to serious legal an...

The Times Features

Duke of Dural to Get Rooftop Bar as New Owners Invest in Venue Upgrade

The Duke of Dural, in Sydney’s north-west, is set for a major uplift under new ownership, following its acquisition by hospitality group Good Beer Company this week. Led by resp...

Prefab’s Second Life: Why Australia’s Backyard Boom Needs a Circular Makeover

The humble granny flat is being reimagined not just as a fix for housing shortages, but as a cornerstone of circular, factory-built architecture. But are our systems ready to s...

Melbourne’s Burglary Boom: Break-Ins Surge Nearly 25%

Victorian homeowners are being warned to act now, as rising break-ins and falling arrest rates paint a worrying picture for suburban safety. Melbourne residents are facing an ...

Exploring the Curriculum at a Modern Junior School in Melbourne

Key Highlights The curriculum at junior schools emphasises whole-person development, catering to children’s physical, emotional, and intellectual needs. It ensures early year...

Distressed by all the bad news? Here’s how to stay informed but still look after yourself

If you’re feeling like the news is particularly bad at the moment, you’re not alone. But many of us can’t look away – and don’t want to. Engaging with news can help us make ...

The Role of Your GP in Creating a Chronic Disease Management Plan That Works

Living with a long-term condition, whether that is diabetes, asthma, arthritis or heart disease, means making hundreds of small decisions every day. You plan your diet against m...