According to the Office of the Australian Information Commissioner’s (OAIC) most recent Notifiable Data Breaches Report, in the first half of 2023, ransomware attacks were the most reported cyber incident, surpassing compromised or stolen credentials by unknown means, the most common cyberattacks in the previous year. In just 6 months, there were over 53 accounts of ransomware attacks reported to OAIC, with roughly 206,862 individuals affected. This raises significant concerns as ransom attacks inflict both reputational damage and expenses on businesses and government organisations, generating billions in payments to cybercriminals each year.
This Insight provides a summary of factors that businesses need to consider in safeguarding themselves against ransomware attacks and outlines indicators to recognise if they have become targets of ransomware, or if they are susceptible to it.
Understanding ransomware
Ransomware is malware used to infiltrate an operating system and prevent the host from accessing their data until a ransom has been paid. It operates by securing or encoding files and data, making them inaccessible. In more serious circumstances, the ransom may demand payment to prevent the data and intellectual property from being leaked or sold online. This makes the threat of ransomware both a national security and personal privacy issue.
Cybercriminals can spread this infectious malware through several methods including:
- malicious websites;
- attachments or links in emails;
- social media posts;
- message apps; and
- downloadable applications.
The primary motivating factor for the cybercriminals behind the attacks is financial gain. In Australia, ransomware incidents cost the economy an average of $2.59 billion per year, with individuals paying an average of $250,000 per cybersecurity incident.
Impact of ransomware
While financial gain is the key motivating factor, financial loss is only one of the impacts that ransomware attacks can have on its victims. The consequences of ransomware attacks include data loss, interruption to business activities, tarnished brand reputation, loss of customer trust and potential legal implications.
For example, when Medibank fell victim to a major data breach in 2022, 9.7 million current and former customers were affected, and the cybercriminals demanded a ransom of US$10 million to retrieve the information that was leaked. While they refused to pay the ransom, the breach had a significant impact on the organisation’s operations and gave rise to regulators questions. Companies found to engage in serious and repeated interference with privacy could be subject to a fine of up to $50 million.
Identifying ransomware attacks
- What to look out for
Ransomware is a low-risk, high-reward income stream for cyber criminals as it is easy to develop and circulate and its repeatable. Cybercriminals will often use unsuspecting recipients to launch ransomware attacks and infect a system with their malicious malware, such as through:
- sending phishing emails;
- malicious or suspicious attachments and links; and
- exploiting vulnerabilities in software.
If your business has already been infected with ransomware, there will be a few warning signs to look out for. These include:
- pop-up messages requesting funds or payments to unlock files;
- being blocked from your accounts, or your login not working for unknown reasons;
- links that seek out your log in details or ask you to reset you password;
- files requesting a password or a code to open or access them;
- files that have been suspiciously moved and are not in their usual folders or location; and
- files that have unusual file extensions attached, or their names and/or icons have changes to something strange.
- What to avoid
While it can often be difficult for individuals to identify ransomware attacks, there are a number of key mitigation practices that individuals and organisations should be aware of to mitigate the risk of falling victim to an attack. These include to avoid:
- visiting unsafe or suspicious websites;
- opening emails, attachments, or files from unknown sources;
- clicking on suspicious links in emails or on social media; and
- most importantly, never pay a ransom. Paying a ransom provides no guarantee that your files will be restored, nor does it prevent the publication of any stolen data. Paying the ransom only makes you vulnerable to future attacks and funds the cybercriminals to continue their attacks.
Preventative measures
- Regular software updates
Regularly updating your devices is crucial to prevent cybercriminals exploiting known vulnerabilities to compromise systems. Updates typically include security upgrades which contain bug fixes and which rectify known weaknesses.
- Data back-up and security
In the event of a ransomware attack, having your important files and documents backed up provides an assurance that your files are well protected and still accessible in the event of an attack. For this approach to be most effective, backups must be created and updated frequently, daily in some cases.
- Strong authentication
Use unique passwords and do not share them. Avoid reusing passwords across multiple accounts. Use multi-factor authentication on crucial systems such as email or remote access services, especially if used for business purposes.
- Implement access controls
Managing access permissions for different users across your operating systems and devices. For example, only providing access to data to users who require it to perform specific and defined tasks.
- Install antivirus software
Anti-virus software plays a crucial role in preventing, detecting, and eliminating ransomware on a device. Organisation must ensure that they activate anti-virus software and keep it regularly updated.
The Australian Cyber Security Centre (ACSC) provides a useful Step by Step Guide on ransomware prevention, as well as a Prevention Checklist to keep track of implemented measures. A list of the ACSC’s ransomware preventions resources can be accessed here.
What to do if you’re being held ransom
The ACSC provides a useful 9-step Ransomware Emergency Response Guide to remove ransomware, recover your files and protect yourself from future attacks. This 9-step guide should be followed if you’ve fallen victim to a ransomware attack:
- record important details;
- turn off the infected device;
- disconnect your other devices;
- change your important passwords;
- recover your information;
- remove ransomware from affected drives and devices;
- restore your information;
- notify and report; and
- prevent future attacks.
Government response to combatting ransomware in Australia
In the recently released 2023-2030 Australian Cyber Security Strategy (Strategy) the Australian Government acknowledged the growing issue of ransomware attacks on Australian individuals and organisations, emphasising their commitment to disrupt the ransomware business model by:
- enhancing visibility of the ransomware threat;
- providing clear guidance on how to respond to ransomware; and
- driving global counter-ransomware operations.
The Government will work with industry leaders to legislate a ransomware reporting obligation for businesses and create a ransomware playbook for businesses and individuals. Additionally, international cooperation and efforts to regulate cryptocurrency use are key components of the government’s strategy to target ransomware cyberattacks.
Next Steps
Reach out to Sainty Law at lawyers@saintylaw.com.au for a breakdown of legal issues associated with ransomware attacks, your response options and the defensive measures your organisation can implement, as well as any assistance you may require in the online domain. We also offer specialised advice which can help you understand your legal obligations surrounding the protection and security of storing certain types of data.
For more information on cyberattacks, protecting your business and mitigating the risks, read our complementary Insights here.