Policy report

Exfiltrate, encrypt, extort: the global rise of ransomware and Australia’s policy options

Computer software Computer networks Cyber-crime Cyber security National security Australia

As the COVID-19 pandemic has swept across the world, another less visible epidemic has occurred concurrently—a tsunami of cybercrime producing global losses totalling more than US$1 trillion. While cybercrime is huge in scale and diverse in form, there’s one type that presents a unique threat to businesses and governments the world over: ransomware.

Some of the most spectacular ransomware attacks have occurred offshore, but Australia hasn’t been immune. Over the past 18 months, major logistics company Toll Holdings Ltd has been hit twice; Nine Entertainment was brought to its knees by an attack that left the company struggling to televise news bulletins and produce newspapers; multiple health and aged-care providers across the country have been hit; and global meat supplies were affected after the Australian and international operations of the world’s largest meat producer, JBS Foods, were brought to a standstill. It’s likely that other organisations have also been hit but have kept it out of the public spotlight.

A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed. Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets. The number of attacks will continue to grow unless urgent action is taken to reduce the incentives to target Australian companies and other entities.

This policy report addresses key areas in Australia where new policies and strategies and improved guidance are needed and also where better support for cybersecurity uplift can be achieved. The recommendations include arguments for greater clarity about the legality of ransomware payments, increased transparency when attacks do occur, the adoption of a mandatory reporting regime, expanding the official alert system of the Australian Cyber Security Centre (ACSC), focused education programs to improve the public’s and the business community’s understanding and, finally, incentivising cybersecurity uplift measures through tax, procurement and subsidy measures. The authors also recommend the establishment of a dedicated cross-departmental ransomware taskforce, which would include state and territory representatives, that would share threat intelligence and develop federal-level policy proposals to tackle ransomware nationally.

Publication Details
License type:
All Rights Reserved
Access Rights Type:
Policy Brief Report No.47/2021