Criminalising cyber extortion payments

Are we punishing the wrong party?

In November 2022, the Australian government announced it was considering new laws to make it illegal for companies to pay ransoms to cyber criminals¹, and that it would increase penalties for data breaches.² The announcement comes in the wake of high-profile cyber attacks in Australia in 2022, with discussions about Australia's cyber security strategy expected to ramp up this year.

The renewed focus is welcomed by cyber security experts as a further step towards fortifying Australia's cyber security protections, alongside the international community.

However, a critical question remains unanswered. Will the ban on ransom payments be effected through civil or criminal law, and will it be subject to civil penalties or criminal sanctions?

How can the ban be effected?

At this stage, certain US states, including New York and Hawaii, have introduced bills prohibiting governmental, business and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack, with a civil penalty of up to US$10,000 imposed for any violation of the ban.

The New York law proposes to amend the state's technology law to include the ban, whilst the Hawaiian law proposes to amend Chapter 128A Homeland Security, Hawaii Revised Statutes.

However, the effectiveness of civil penalties of this quantum in deterring the payment of ransom is debatable. When the very survival of a business is at stake, a cost-benefit analysis could reveal it is in the interests of the business to pay the ransom and simply absorb the civil penalty.

Alternatively, governments may decide to criminalise the payment of ransoms through corporate criminal law, making it an offence to pay a cyber ransom. This would mean a company is criminally liable, and directors and officers personally liable if the corporation commits the offence. In this case, the deterrence effect of such laws on the ransom victim may be stronger.

However, in the same way a ban on extortion cover in insurance policies is little deterrent to cyber criminals, many believe that criminalising the payment of ransoms will also fail to discourage cyber crime.

A decision to criminalise the payment of ransoms should not be taken lightly. The current assumption is that banning ransom payments will disincentivise cyber crime, striking at the heart of the criminal enterprises. However, the punitive approach towards the victims of cyber extortion is far more complex.

Below, we explore the facts in more detail.

1. It is not always about financial gain

The main tenet in support of criminalising the payment of ransoms is that it would reduce the financial incentives for criminals because companies would be bound to refuse payment to avoid committing an offence. It is argued that this would in turn reduce the number and severity of cyber attacks, particularly ransomware attacks and attacks involving cyber extortion.

However, cyber criminals are motivated by a variety of factors, including financial gain, ideological reasons, personal or professional revenge, thrill-seeking or simply to teach a company with cyber security vulnerabilities a lesson. These motivations can be overlapping and often change over time.

If the end goal is to reduce the number and severity of cyber attacks, striking at one motivation by extinguishing the source of funds may not necessarily be effective.

Example

Cyber incidents perpetrated by bug bounty hunters are often undertaken to expose the vulnerabilities of using open-source third-party software, with exfiltration of data viewed as a trophy or to confirm the breach. In these instances, extortion demands are typically opportunistic and a sub-motivation, with very few demands suggesting that financial gain was the main motivation for these threat actors. Such threat actors are unlikely to stop carrying out cyber attacks if ransom payments are made illegal.

In other words, unless the main or sole motivation is financial gain, criminalising the payment of ransoms is unlikely to make a significant dent in the cyber crime enterprise.

2. Cyber criminals are resilient, motivated and creative

Assuming for a moment that the main or sole motivation for cyber criminals and ransomware attackers is financial gain, cyber extortion funds are only one source of funding. Cyber criminals have proven themselves to be resilient, motivated and creative in identifying new opportunities.

Despite hurdles and security measures to thwart cyber criminals, they are often able to devise creative bypass measures to achieve their end goal.

Example

In 2019, Microsoft claimed that multi-factor authentication (MFA) can prevent over 99.9% of account compromise attacks.³ However, in 2022, we saw cyber crime groups escalating attacks on MFA methods globally, launching MFA bypass attacks to compromise accounts.⁴

Closing off the source of extortion funds simply pushes cyber criminals towards other tactics to procure financial gain. It is well known that cyber criminals utilise malware, phishing scams and other tactics to steal personal information or financial data, which they then use to commit identity theft or fraud for financial gain. Cyber criminals have also developed MFA bypass tactics to carry out account-takeover attacks on banks and crypto wallets for financial gain.

In this respect, criminalising the payment of ransoms is unlikely to make a significant dent in the cyber crime enterprise, as it fails to recognise the other avenues for financial gain.

3. Fewer companies are paying ransoms

A 2022 research report found that fewer companies paid extortion payments to cyber criminals in 2022 than in both 2021 and 2020.⁵

In the findings published by Chainalysis Inc on 19 January 2023, ransom payments (which are almost always paid in cryptocurrency) fell to US$456.8 million in 2022 from US$765.6 million in 2021. The 40% drop was not attributed to attacks reducing, but much of the decline was due to victim organisations refusing to pay ransomware attackers.

The research from Chainalysis is supported by data from the cyber incident response company Coveware, which disclosed that the number of Coveware’s clients that have paid a ransom after an attack has steadily decreased since 2019, from 76% to 41% in 2022, according to Chainalysis’s research.

There are a few reasons for this:

1. As companies and businesses become increasingly aware of cyber security risks, invest in uplifting their cyber resilience and/or have the financial support of cyber insurance, there are often options other than the payment of ransoms to recover the data. The cyber insurance industry has played an important role in this by requiring organisations to meet a minimum standard of cyber security and backup measures before insuring them for ransomware coverage. Having these requirements has uplifted the cyber resilience of many insured organisations and led to these companies being able to recover from cyber attacks through means other than paying ransom.
2. The payment of ransoms now comes with increasing legal risk, both in Australia and in other jurisdictions like the US, UK and EU. When considering the payment of ransoms, organisations must consider the significant ramifications that may arise under sanctions laws (both domestic, foreign and international), anti-money laundering laws, and counter-terrorism laws. There are also significant reputational ramifications for an organisation that is publicly known to have paid a ransom.
3. The Australian government's position is to never pay a ransom. As Australian organisations become more cyber security aware, they have become more willing to report ransomware attacks and extortion demands to the police, the Australian Cyber Security Centre (ACSC), and the Office of the Australian Information Commissioner (OAIC) if it involves a data breach. This has created an increased public-private collaboration, which often results in the organisation adopting the government's position of not paying the ransom. Such collaboration has contributed to discouraging the payment of ransoms.

Despite this downward trend in organisations making ransom payments, there has been no reduction in the number and frequency of cyber attacks. Today, ransomware remains one of the top threats to organisations, and cybercrime is costing the Australian economy an estimated AUD42 billion annually.⁶ Therefore, it would not only be reasonable but prudent to query whether the criminalisation of ransom payments would indeed be an effective solution to the cyber extortion and ransomware problem facing Australia.

4. Punishing the victims

The most apparent effect of criminalising ransom payments is that it punishes victims of cyber extortion, which is contrary to the very foundation of the criminal justice system.

Criminal law seeks to identify and punish offending conduct and behaviours for the protection of society. The offending conduct here is the cyber crime, and there are already laws in place (sanctions laws, anti-money laundering laws, and counter-terrorism laws) that prevent organisations from paying the ransom if doing so may cause them to fund the criminal enterprise.

However, laws criminalising the payment of ransoms do not punish the cyber crime perpetrators, at least not directly. Instead, they penalise the victim of the cyber crime directly, who very often only contemplates payment of the ransom in exceptional circumstances and as a last resort.

Australia is in a developing phase of uplifting its cyber resilience as a nation. Whilst organisations who have the resources to invest in uplifting their cyber resilience are able to afford a policy of not paying a cyber ransom, small and medium enterprises (SMEs) that are lagging behind often have fewer options when considering ransom payment for recovery and business survival.

Such a law presupposes that all organisations are able to recover without paying a ransom, which is simply not a realistic assumption at this stage of Australia's cyber security maturity. In actual fact, it is perhaps more likely that a ban on ransom payment would hurt these organisations the most, rather than the cyber criminals themselves.

Further, information-sharing and intelligence-gathering is a key part of the fight against cyber crime globally. By criminalising the payment of ransoms, victims of cyber crime may be less willing to trust, report or share information about the cyber extortion threat with law enforcement authorities or the regulators out of fear of punitive or criminal ramifications.

Is there an alternative?

In short, making it illegal for companies to pay ransoms to cyber criminals will not be a panacea to the cyber crime, cyber extortion and ransomware problems facing Australia. It is a blunt tool that is unlikely to impact or stop the cyber criminals.

The resources would arguably be better spent on measures that would directly impact the cyber crime enterprise and reduce Australia's vulnerability to such attacks. For example:

• Improving international governmental and law enforcement cooperation in the fight against cyber crime and ransomware groups.
• Uplifting the cyber resilience and maturity of all Australian government and non-governmental organisations so that if, and when, a ransomware attack or cyber extortion threat is made, the question of paying the ransom does not arise.

Perhaps it is only at that stage that a law criminalising the payment of ransoms to cyber criminals is more justifiable.

Directors' duties provisions

The decision to make a ransom payment often rests with an individual (or a group of individuals), and/or the board of directors. If the goal is simply to reflect the public policy of discouraging the payment of ransoms, rather than personal criminal liability, a more appropriate approach would perhaps be to regulate such conduct through the directors' duties provisions, to ensure that any decision to make a ransom payment is in line with those duties. This would ensure that any decision to pay a ransom would be limited to the most exceptional of circumstances and where it is, on balance, likely to be reasonable or in the interest of the company.

That said, following discussions and consultation, if the decision is made to criminalise the payment of ransoms to cyber criminals, then we consider it is important for lawmakers to include specific defences and exceptions, such as the common law criminal defence of necessity, to accommodate the exceptional circumstances organisations may face. After all, laws are formal rules that society uses to define how people and organisations are expected to behave, but they should not be rigid and fixed, or lack the flexibility to take account of various circumstances.

This article is part of CyberSight 360 2022/23.

¹ https://www.smh.com.au/politics/federal/we-will-hunt-them-down-o-neil-signals-more-action-on-medibank-hack-20221113-p5bxsi.html
² https://ministers.ag.gov.au/media-centre/joint-standing-operation-against-cyber-criminal-syndicates-12-11-2022
³ https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
⁴ https://www.techtarget.com/searchsecurity/news/252525234/Cybercriminals-launching-more-MFA-bypass-attacks
⁴ https://its.unc.edu/2022/10/20/mfa-bypass/
⁵ Ransomware revenue down as more victims refuse to pay
⁶ https://www.unsw.adfa.edu.au/newsroom/news/cybercrime-estimated-42-billion-cost-australian-economy

Photo by Adi Goldstein on Unsplash.