Paying cyber-ransoms still lands organisations in hot water


Written by Lee Roebig, CISO, Sekuro.

Ransomware attacks continue to impact Australian organisations at a growing rate with 75% of the industrial sector having experienced a ransomware attack in the past year and costing the Australian economy $2.59 billion annually.

The Australian Cyber Security Centre named ransomware as the most destructive cybercrime threat, as it continues to create significant risks for governments, businesses and individuals due to its high financial impact and other disruptive impacts to victim organisations and the broader community.

Home affairs and cybersecurity minister Clare O’Neil addressed Australia’s ransomware problem as part of the 2023-2030 National Cybersecurity Strategy outlining a commitment to “work with industry to break the ransomware business model” which is fuelled by payments made to cybercriminals.

Close to three quarters (73%) of Australian organisations that have suffered ransomware attacks in 2023 chose to pay the ransom demand. And 70% of surveyed Aussie businesses, including those yet to experience a ransomware attack, said they would be willing to pay a ransom despite consistent government advice against doing so. It is a clear indication that ransom payments are considered as a legitimate option by most Australian executives and have already been factored in as a cost of doing business.

Minister O’Neil has stated that while the government has decided to shelf plans to ban the payment of ransoms to cybercrime groups for at least two years, it will become an “inevitable” strategy to take the target off the back of Australian organisations. Whilst there is currently no legislation which directly prohibits cyber-ransom payments, making such a payment could still constitute an offence. It is imperative that organisations consider the potential legal implications of paying a ransom if they decide to go down that road.

Money laundering offence

As per Section 102.7 of the Criminal Code Act 1995 (Cth) it is an offence to ‘recklessly’ provide resources to support a terrorist organisation.

Paying a cyber-ransom could constitute a money-laundering offence under Division 400 of the Criminal Code Act 1995 (Cth) as ‘there is a risk that the money or property will become an instrument of crime’ , and the person is ‘reckless’ or ‘negligent as to the fact that the money or property is proceeds of indictable crime.’ Depending on the specific circumstances however, organisations could claim the defence of duress, self-defence or ‘sudden/extraordinary emergency’.

Sanctions offence

Paying a cyber-ransom, could lead to an organisation being in breach of the Autonomous Sanctions Act as it could be considered as funding an individual or entity sanctioned for their involvement in ‘malicious cyber activity’.

Australia’s sanctions regime, implemented under the Autonomous Sanctions Act 2011 (Cth), prohibits the funding of an organisation proscribed by a United Nations (UN) sanction.

Breach of director’s duties

Directors and executives face a double-edged sword when it comes to dealing with ransom payments.

Based on the Corporations Act 2001 (Cth), directors of companies have a range of duties including to ‘act in good faith, to exercise care, skill and diligence, and to prevent insolvent trading’.

If found to have breached these duties, directors can be found personally liable and subject to civil and criminal penalties.

In the instance that a cyber-ransom is paid, and as a result the company suffers from major financial loss or becomes insolvent,  a Court could find a director to have breached their duties owed to their company and shareholders could initiate a class action alleging a breach of the director’s duties to act in good faith, exercise care skill/diligence and prevent insolvency.

Similarly, if the decision is made not to pay the cyber-ransom, and the company suffers as a result, directors could also be faced with the same predicament.

So is this a case of ‘damned if you do, damned if you don’t?’ Not necessarily.

To help organisations make better decisions and mitigate the damages when dealing with ransomware attacks, the Australian Federal Police is calling upon businesses to report any such attacks as soon as possible.

According to the Cost of a Data Breach Report 2023, the 37% of businesses that do not report ransomware attacks spend more on mitigating the incident than those who worked with law enforcement, this is, however, a worldwide statistic and not Australian-only.

As there is not yet any case law or judicial guidance providing clarification on how organisations should handle ransomware attacks, it is highly recommended that businesses that are impacted by a ransomware attack, seek specialised legal advice (that is, law firms that are specialists in data breach/cyber incidents) prior to making the decision to pay or not to pay, work with law enforcement to help them identify the threat actors and work with government agencies such as the Australian Cyber Security Centre to help mitigate the damages.

Better yet, organisations should plan and regularly rehearse what to do, when to do it and who to contact/involve before a ransomware incident occurs. These decisions and plans are best made during a time of level-headedness, which is most definitely not during the incident itself.