Ransomware Payments Bill 2021 (Cth)

Ransomware is a type of software which maliciously denies an organisation access to their own IT systems and often threatens to release information within such a system subject to the payment of a ransom.  The government believes ransomware attacks are Australia’s largest cyber threat.^[1]  The Ransomware Payments Bill 2021 (Cth) (Bill) intends to establish mandatory reporting requirements for all of Commonwealth entities, State or Territory agencies, corporations and partnerships who make ransomware payments pursuant to a ransomware attack.  The Bill would see such organisations provide notice to the Australian Cyber Security Centre (ACSC).

When has a ransomware attack occurred?

The Bill defines what acts constitute a ransomware attack.  The simple premise has been introduced above, but the Bill provides rigid requirements before a ransomware attack may be found.  A ransomware attack occurs where a person, the attacker, assisted by a computer function, directly or indirectly causes any of the following:^[2]

• access to data held in a computer;
• modification of data held in a computer;
• the impairment of electronic communication to or from a computer; or
• the impairment of the reliability, security or operation of any data held on a computer disk or other device used to store data by electronic means.

Further to these requirements, it must be seen that the attacked knows the access, modification or impairment is unauthorised,^[3] and that the modification or impairment either:^[4]

• restricts access by an authorised person to data held in a computer; or
• will, or gives an unauthorised person the ability to, modify, damage or destroy data held in a computer or on a computer disk or other device used to store data by electronic means.

The final requirement before the finding of a ransomware attack is made is that the attacked has demanded a payment in order to:^[5]

• end the unauthorised access, modification or impairment;
• prevent publication of any of the data;
• end the restriction on access to the data;
• prevent damage or destruction of the data; or
• otherwise remediate the impact of the unauthorised access, modification or impairment.

Reporting obligations on entities

As mentioned, the Bill imposes obligations on certain entities to report any payments they’ve made in order to protect themselves against ransomware attacks.  The Bill provides this requirement under Part 2 sections 8.  That section establishes the requirement that ‘an entity that makes a ransomware payment must, as soon as practicable, give written notice of the payment to the ASCS or suffer a civil penalty in the order of 1,000 penalty units (at the time of writing, roughly $110,000).^[6]  There is a strong impetus, then, for entities to comply with this proposed requirement.

Who is an ‘entity’ for the purposes of the Bill?

The Bill, if passed, will apply to a Commonwealth entity,^[7] a State or Territory or an agency of a State or Territory^[8] or any other person if the:^[9]

• person carries on a business in the income year in which the payment is made;
• person is not a small business entity for the year; and
• ransomware payment relates to a ransomware attack against data, a computer, computer disk or other device located in Australia or used by the person in Australia.

It would seem then, that the Bill intends to cast an extremely broad net over the persons it intends to obligate to make reports on ransomware payments.

Notice pursuant to the Bill

The Bill requires that any notice sets out:^[10]

• the name and contact details of the entity;
• the identity of the attacker, or what information the entity knows about the identity of the attacker (including information about the purported identity of the attacker); and
• a description of the ransomware attack, including:

1. the cryptocurrency wallet etc. to which the attacker demanded the ransomware payment be made;
2. the amount of the ransomware payment; and
3. any indicators of compromise known to the entity.

The contents required within the notice are rather straightforward, excepting the ‘indicators of compromise’ component. An indicator of compromise, however, is simply any technical evidence left by the attacker which indicates the attacker’s identity or methods.^[11]

Takeaways

It must be noted that this Bill is not representative of the current obligations upon business but only of potential law.  It has passed the House of Representatives but is yet to be considered by the Senate.   Assuming that it passes, it brings about stringent requirements on entities, but its purposes is clearly to deter and react to ransomware attacks – which the government considers to be Australia’s largest cyber threat.

Links and further references

Legislation

Ransomware Payments Bill 2021 (Cth)

Other materials

Explanatory Memorandum

Further information about ransomware attacks

If you need advice on your obligations surrounding notice of ransomware attacks, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[1] Explanatory Memorandum, Ransomware Payments Bill 2021 (Cth) 4.

[2] Ransomware Payments Bill 2021 (Cth) s 4(a)(i) – (iv).

[3] Ransomware Payments Bill 2021 (Cth) s 4(b).

[4] Ransomware Payments Bill 2021 (Cth) s 4(c).

[5] Ransomware Payments Bill 2021 (Cth) s 4(d)(i) – (iv).

[6] Ransomware Payments Bill 2021 (Cth) s 8(1).

[7] Ransomware Payments Bill 2021 (Cth) s 5(a).

[8] Ransomware Payments Bill 2021 (Cth) s 5(b).

[9] Ransomware Payments Bill 2021 (Cth) s 5(c)(i) – (iii).

[10] Ransomware Payments Bill 2021 (Cth) s 8(1).

[11] Ransomware Payments Bill 2021 (Cth) s 8(3).

---

Related insights about ransomware attacks