The government will also introduce new criminal offences and tougher penalties as part of the plan. However, there is no date given for the Plan to take effect.
She said the government did not condone the payment of ransoms. Attackers who use ransomware to attack companies or individuals generally exfiltrate some data before they encrypt files on the system.
Andrews said the government's opposition to payment of ransoms was tied to the fact that "there is no guarantee hackers will restore information, stop their attacks, and not leak or sell stolen data".
But by waiting 9 months before acting they’ve now left themselves so little time to actually act that it’s unlikely that any of the government’s Ransomware Action Plan (which is totally different from a National Ransomware Strategy) will be legislated before the election…— Tim Watts MP (@TimWattsMP) October 12, 2021
She claimed Australians would be better protected once the plan took effect. “Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Andrews said.
“Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses.
“That’s why the Morrison Government is taking action to disrupt, pursue and prosecute cyber criminals. Our tough new laws will target this online criminality, and hit cyber crooks where it hurts most – their bank balances.”
The Plan envisages the following:
- "Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cyber criminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals;
- "Introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians;
- "Criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cyber criminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
- "Criminalise the buying or selling of malware for the purposes of undertaking computer crimes; and
- "Modernise legislation to ensure that cyber criminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cyber criminals’ financial transactions in cryptocurrency."
Andrews said the government would consult the community, industry and interested stakeholders on the reporting regime and the new offences.
One of Australia's big four banks, National Australia Bank, has welcomed the Plan. Patrick Wright, NAB Group executive Technology and Enterprise Operations, said in a statement: "NAB continues to play an active part in supporting the Federal Government in its efforts to protect Australians from cyber threats.
“We know the cyber threat landscape is ever evolving and the volume of threats, including ransomware attacks, particularly on our business customers, continues to increase year on year. We’re pleased to see the measures introduced in the action plan for tougher penalties, in an effort to deter bad actors.
“Mandatory reporting of ransomware attacks will provide a more fulsome picture of the impact cyber crime is having. Business and government co-operation is crucial to expand our knowledge and understanding of the threat landscape.
“We’re committed to help our business customers of all sizes combat ransomware and its effects.”