RANSOMWARE

ACTION PLAN
© Commonwealth of Australia 2021
With the exception of the Commonwealth Coat of Arms, all material
presented in this publication is provided under a Creative Commons
Attribution 4.0 International license at: https://creativecommons.org/
licenses/by/4.0/legalcode.
This means this license only applies to material as set out in this document.

The details of the relevant license conditions are available on the Creative
Commons website at: https://creativecommons.org/ as is the full legal
code for the CC BY 4.0 license at https://creativecommons.org/licenses/
by/4.0/legalcode.

Contact us
Enquiries regarding the licence and any use of this document are
welcome at:
Strategy Division
Department of Home Affairs
4 National Circuit Barton ACT 2600
cybersecuritystrategy@homeaffairs.gov.au
Table of Contents

Minister’s foreword 1

The threat of ransomware 2

Current initiatives to address ransomware 5

Ransomware Action Plan 6

Prepare and Prevent 7
Respond and Recover 8
Disrupt and Deter 9

Future10

RANSOMWARE ACTION PLAN i

ii RANSOMWARE ACTION PLAN
Minister’s foreword

The Australian Government’s cyber security vision is to create a more secure online
world for Australians, their businesses and essential services. However, Australia
faces a rapidly evolving strategic environment, punctuated by increasing malicious
cyber activity conducted by transnational, serious and organised crime groups and
individuals. This Ransomware Action Plan sets out the Government’s immediate
strategic approach to tackle the threat posed by ransomware, and builds on the
overarching cyber security architecture instigated in the 2016 and 2020 Cyber
Security Strategies, and is designed around the framework of the National Strategy
to Fight Transnational, Serious and Organised Crime.

We are continuing to observe cybercriminals successfully Recognising that there are several cyber and ransomware
use ransomware to disrupt services and steal from initiatives already in place, the ever changing nature
Australians. Whether it is conducting attacks on critical of this threat means Australia needs to remain agile
infrastructure, taking from small businesses or targeting and prepared to quickly stand up differing approaches
the most vulnerable members of our community, over time. This approach will ensure that Australia can
cybercriminals use ransomware to do Australians real maintain a consistent and mature security posture to
and long-lasting harm. In response, the Australian meet security objectives well into the future.
Government is taking concrete action to protect
Put simply – Australia takes a zero tolerance approach
Australians, including working with our international and
to ransomware.
business partners to combat this global threat.

Criminals are carrying out attacks simultaneously

to exploit or steal from as many victims as possible.
The Hon Karen Andrews MP
Over the past 12 months, Australia has faced a 15%
Minister for Home Affairs
increase in ransomware attacks reported to the
October 2021
Australian Cyber Security Centre. During a time
where we are focused on growing Australia’s future
as a modern and leading digital economy, safety,
security and trust in the cyber-enabled systems we all
rely on has never been of greater importance.

The Ransomware Action Plan takes a decisive stance –

the Australian Government does not condone ransom
payments being made to cybercriminals. Any ransom
payment, small or large, fuels the ransomware business
model, putting other Australians at risk. Paying ransoms
does not guarantee access to locked systems or sensitive
data, and may open the victim up to repeat attacks.
We need to ensure that Australia remains an unattractive
target for criminals and a hostile place for them
to operate.

RANSOMWARE ACTION PLAN 1

The threat of ransomware

Ransomware has become an increasingly prevalent This trend of data theft, encryption, and public shaming
global threat, where cybercriminals use readily available reflects an evolution in ransomware tactics to more
software to encrypt electronic devices, folders and files effectively extort considerable ransoms from victims.
that render systems inaccessible to users. Once files are Cybercriminals are now regularly exfiltrating data,
encrypted, criminals demand a ransom from the system including customer personally identifiable information (PII),
owner in return for the decryption keys, often in the form prior to encryption and subsequently threatening to release
of hard-to-trace cryptocurrencies. Not only do criminals the stolen information publicly unless the ransom is paid.
use ransomware to encrypt files, ransomware also allows Victims who would have previously been well prepared for,
criminals to gain access to a network, enabling them to or able to, recover from a ransomware incident are unlikely
steal sensitive information. to be immune to this tactic known as ‘double extortion’.
Organisations are now required to evaluate the cost of
Australia’s relative wealth, high levels of online
ransom payment against the potentially severe legal
connectivity and increasing delivery of services through
and reputational consequences of a data breach.
online channels make it very attractive and profitable for
Other extortion tactics observed in 2020 included
transnational, organised cybercrime syndicates to target
committing Distributed Denial of Service to force victims
Australians using cyber-enabled tools and techniques.
to re-engage in ransom negotiations, directly contacting
Consistent with global trends, the Australian Cyber
senior employees (such as Chief Executive Officers or Chief
Security Centre has continued to observe cybercriminals
Financial Officers), alerting customers and/or the media to
successfully use ransomware to disrupt operations and
inform them of imminent data leaks, and posting ransom
cause reputational damage to Australian organisations,
demands directly on victims’ publicly facing websites.
and reported a 15% increase in ransomware attacks over
the past 12 months. In the last 24 months, there has been an increase in
number of larger organisations experiencing ransomware.
Globally, it is estimated that there is a ransomware attack
This aligns with global trends and intelligence indicating
on a business every 11 seconds, with ransomware damage
top tier and highly-skilled cybercriminal groups are moving
losses projected to reach US$20 billion in 2021.1 Paying a
away from indiscriminately targeting large volumes of
ransom does not guarantee recovery of ransomed data,
small-scale victims and instead tailoring their ransomware
and only helps promote ransomware as a profitable
campaigns to specific million or billion dollar corporations
criminal enterprise.2 Ransomware and cyber extortion
(referred to as ‘big game hunting’). Cybercriminals are
remains the most serious cybercrime threat facing
exploiting the need for such organisations to maintain
Australia due to its high financial and disruptive impacts
effective operation to increase ransom payment.
to victims and the wider community.

Globally, it is estimated that there is a ransomware attack on a business every

11 seconds, with ransomware damage losses projected to reach US$20 billion
in 2021.

1. Cybersecurity Ventures, 2021

2. Locked Out: Tackling Australia’s ransomware threat, Cyber Security Industry Advisory Committee, March 2021.

2 RANSOMWARE ACTION PLAN

 Ransomware attacks typically involve:
— Criminals - perpetrators responsible for the ransomware attack
— Victims - individuals or organisations who have been subject to the ransomware attack
— Facilitators – individuals or companies who may facilitate ransom payments

For criminals, ransomware is

an attractive cyber weapon
as it enables them to profit
from victims around the
world through the demand
for payment, sometimes
exceeding millions of dollars.

Professional facilitators of
ransomware payments who
For victims, the consequences of
assist victims interact with
ransomware cascade far beyond
cybercriminals may be
short-term and financial implications.
committing criminal offences
Depending on the size of a targeted
by virtue of these payments
organisation, a ransom may exceed
and, ultimately, help
millions of dollars, with secondary
perpetuate the global
financial implications associated with
criminal economy.
data loss, system restoration and
increasing cyber resilience. There may be
significant reputational and legal costs
resulting from incidents and recovery. It is
clear that ransomware is one of the most
damaging types of cyber attacks for
industry and individuals, which can have
severe and long lasting impacts on
Australians and their businesses.

Types of attacks3

Hack and leak Targeting executives Tailored ransom demands

After gaining control of a company’s Cybercriminals have started to directly Cybercriminals trawl through stolen
IT systems, cybercriminals search for target top executives. The techniques data in preparation for ransomware
sensitive files, which are stolen before include emailing them directly with attacks, often demanding a ransom
systems can be protected and locked. In threats and ransom demands, as well payment that is the same as the insured
the event the ransom is not paid, victims as gaining access to their inboxes, amount. By insisting on payment in
are extorted with threats to publish files and computers and stealing their cryptocurrency, the attacker may remain
sensitive information, including on the organisation’s data which is then used anonymous and free to attack again.
dark web. for extortion or blackmail.

3. Locked Out: Tackling Australia’s ransomware threat, Cyber Security Industry Advisory Committee, March 2021.

RANSOMWARE ACTION PLAN 3

In May 2021, criminals attacked a United States company,
Colonial Pipeline, which carries almost half the fuel
supplies that power the east coast of the United States.
This ransomware attack resulted in the company’s decision
to shut down the pipeline. Fuel distribution was disrupted
for over a week, during which time the United States
experienced fuel shortages, panic buying, and impacts
on transport services and air flight schedules.

Criminals have launched ransomware attacks against

Australia’s critical infrastructure, businesses and members
of the community. For example, during the height of the
COVID-19 pandemic in 2020, ransomware campaigns
targeted Australia’s aged care and healthcare sectors.
The ‘Maze’ ransomware encrypted valuable information,
such as sensitive personal and medical information,
so that it could no longer be used. This reckless activity
threatened the operation of health facilities and caused
very real health and safety risks to our community.
These incidents demonstrate the importance of strong
cyber security, particularly in the protection of critical
infrastructure.

Case study: Ransomware attacks against the Australian health sector

In early 2019, a specialist unit within a Melbourne hospital was the target of a significant ransomware attack.
15,000 patients’ worth of sensitive health information was encrypted and made inaccessible to staff for a duration
of three weeks. The perpetrators demanded a ransom be paid in cryptocurrency in exchange for the files to be
decrypted and to allow staff to regain access to the information.

It was reported that a payment was made however not all files were recovered.

Assistance is available
Advice on mitigating the threat of ransomware can be found at cyber.gov.au.

If Australian organisations are impacted by ransomware, they can seek assistance from the Australian
Cyber Security Centre (ACSC) via 1300 CYBER1. Reporting cyber security incidents enables the ACSC to
alert and assist a broader range of organisations, and understand the scope and nature of cyber intrusions.

All Australians can report a cybercrime by visiting cyber.gov.au

4 RANSOMWARE ACTION PLAN

Current initiatives to address ransomware

The Australian Government is progressing many lines of effort that combat ransomware, including a $1.67 billion
investment over 10 years through Australia’s Cyber Security Strategy 2020 to build new cybersecurity and law
enforcement capabilities, protect the essential services upon which we all depend, assist businesses to protect
themselves and raise the community’s understanding of how to be secure online.

The Government is:

— Strengthening Australia’s capability to — Helping businesses by providing technical

counter cybercrime through a $164.9 cyber security advice from the Australian
million investment (as part of the $1.67 Cyber Security Centre on how to prepare for,
billion), including $89.9 million to equip and respond to, ransomware attacks;
the Australian Federal Police with an
— Providing $6.1 million for support services
additional 100 personnel to identify and
through IDCARE to support Australians online,
target cybercriminals;
if they have been a victim of cybercrime (as
— Combining the expertise of foreign and part of the $1.67 billion);
domestic law enforcement and intelligence
— Helping small and medium business improve
agencies to fight cybercrime through the
their cyber security through the free Cyber
expanded remit of the Australian Cyber
Security Assessment Tool;
Security Centre within the Australian Signals
Directorate; — Improving the quality and quantity of skilled
cyber security professionals through the
— Bolstering the powers of the Australian
Cyber Security National Workforce Growth
Federal Police and Australian Criminal
Program, supporting businesses across
Intelligence Commission to identify
the economy;
individuals and their networks engaging
in serious criminal activity on the dark — Launching the 2021 International Cyber and
web, through the Surveillance Legislation Critical Technology Engagement Strategy
Amendment (Identify and Disrupt) Act 2021; with $20.5 million to strengthen cyber and
critical technology resilience in Southeast Asia
— Progressing legislation to uplift the
and $17 million to boost capability, including
security and resilience of Australia’s
fighting cybercrime, in the Pacific; and
critical infrastructure, build our collective
understanding of the threat environment, — Working collaboratively with international
and ensure Government can assist industry partners to address ransomware globally.
in responding to cyber threats that are
too sophisticated or disruptive to be
handled alone; The Australian Government does not condone
— Developing the next National Plan to the payment of ransoms to cybercriminals.
Combat Cybercrime, which will bring together Australia is, and must continue to remain, a hard target
the powers, capabilities, experience and for ransomware gangs. Payment of a ransom does not
intelligence of all jurisdictions to build a strong guarantee the victim access to its system or data and
multi-faceted response to cybercrime harming
puts other Australians at greater risk.
Australia and Australians, consistent with
the National Strategy to Fight Transnational,
Serious and Organised Crime;

RANSOMWARE ACTION PLAN 5

Ransomware Action Plan

By complementing current initiatives, this Plan will ensure The successful implementation of this Plan relies on
that Australia remains a hard target for cybercriminals. close partnerships across industry and governments.
The Australian Government will: The Australian Government will work closely with State
— Launch additional operational activity to and Territory governments and industry stakeholders to
target criminals seeking to disrupt, and profit ensure that objectives of this Plan are achieved while
from, Australian business and individuals. complementing and not duplicating existing cyber
— Deliver additional legislative reforms to build security initiatives across the economy. We will leverage a
Government’s situational awareness of the range of existing engagement mechanisms to mobilise a
ransomware threat while further criminalising national response to the threat of ransomware.
ransomware (including by developing
aggravated offences for attacks against The Ransomware Action Plan is built on three objectives
Australia’s critical infrastructure) and ensuring delivering initiatives in the immediate and mid-term.
law enforcement can track, seize or freeze
ransomware gangs’ proceeds of crime.

Objectives

Prepare and Prevent Respond and Recover Disrupt and Deter

Building Australia’s resilience to Strengthening responses to ransomware Disrupting cybercriminals through

ransomware attacks. attacks by ensuring support is available deterrence and offensive action by
to victims. strengthening Australia’s criminal
law regime and increasing the risk of
ransomware gangs being caught.

Policy & Operational response Legislative reforms

— Establishment of the multi-agency — Introducing a specific mandatory
taskforce Operation Orcus as ransomware incident reporting to
Australia’s strongest response to the the Australian Government
surging ransomware threat, led by
— Introducing a stand-alone offence
the Australian Federal Police
for all forms of cyber extortion
— Awareness raising and clear advice for
— Introducing a stand-alone
critical infrastructure, large businesses
aggravated offence for
and small to medium enterprises on
cybercriminals seeking to target
ransomware payments
critical infrastructure (as proposed
— Joint operations with international to be regulated by the Security
counterparts to strengthen shared Legislation Amendment (Critical
capabilities to detect, investigate, Infrastructure) Bill 2020)
disrupt and prosecute malicious cyber
— Modernising legislation to ensure
actors when engaging in ransomware
that cybercriminals are held to
— Actively calling out those who support, account for their actions, and law
facilitate or provide safe havens to enforcement is able to track and
cybercriminals seize or freeze their ill-gotten gains

6 RANSOMWARE ACTION PLAN

Prepare and Prevent

Preparation and prevention are at the forefront of managing the risk of ransomware attacks.
There are a number of current and immediate initiatives which support ransomware preparation and
prevention for all Australians, including:

— the Australian Cyber Security Centre’s technical advice at cyber.gov.au, including the Ransomware
Prevention and Protection Guide, and the Emergency Response Guide;
— the Australian Cyber Security Centre’s ‘act now, stay secure’ campaign, launched in December 2020,
provides practical advice for Australians on how to protect themselves against a range of cyber
threats, including ransomware;
— Initiatives funded under the Australian Signals Directorates’ CESAR package, including partnership
programs and alerts, as well as information sessions at Joint Cyber Security Centres;
— as a $4.9 million initiative under Australia’s Cyber Security Strategy 2020, work is underway to
commence a national cyber security public awareness campaign;
— the 2021 International Cyber and Critical Technology Engagement Strategy with $20.5 million
to strengthen resilience in Southeast Asia and $17 million to boost capability, including fighting
cybercrime, in the Pacific;
— uplifting the cyber security posture of Australia’s critical infrastructure and systems of national
significance through the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and
revitalised Trusted Information Sharing Network;
— practical advice for businesses, including through the release of the Cyber Security Industry Advisory
Committee’s public paper Locked Out: Tackling Australia’s ransomware threat; and
— the Government is also seeking feedback on other regulatory reforms or voluntary incentives needed
to promote the cyber security resilience of Australia’s digital economy.

Future and ongoing work to support preparatory and prevention initiatives include:

— as part of Australia’s Cyber Security Strategy 2020, the Australian Government is considering
legislative changes, voluntary measures and incentives to strengthen cyber security across
the digital economy;
— strengthening information sharing mechanisms;
— providing advice for critical infrastructure, large businesses and small to medium enterprises; and
— supporting initiatives to actively prevent known malicious cyber threats from reaching Australian
consumers and businesses.

RANSOMWARE ACTION PLAN 7

Respond and Recover

Strengthened response mechanisms for ransomware victims will help protect Australia and reduce
the incentive to pay ransoms. Ransomware perpetrators should not be rewarded for their actions.
Effective response initiatives must adopt a nationally consistent approach which provides incentives
to victims to consider alternatives before paying ransoms. Paying ransoms is critical to the ransomware
perpetrators’ business model and will make Australia a more attractive target for criminals. Paying a
ransom does not guarantee a successful outcome - encrypted systems may not be restored, sensitive
data may be released or sold to other perpetrators and victims may be targeted multiple times.
The Australian Government has a number of current and immediate initiatives including:

— the Australian Cyber Security Centre’s ReportCyber which allows Australian businesses or individuals
to report a cyber incident, including a ransomware attack;
— the Notifiable Data Breaches scheme under the Privacy Act 1988 requires Australian government
agencies and certain Australian businesses to report ransomware attacks that involve a breach of
personal information likely to result in serious harm;
— building Australia’s collective understanding of the threat environment, and ensure Government can
assist industry in responding to cyber threats that are too sophisticated or disruptive to be handled
alone, through the Security Legislation Amendment (Critical Infrastructure) Bill 2020;
— providing $6.1 million for support services through IDCARE to support Australians if they have been a
victim of cybercrime;
— clearly stating that the Australian Government does not condone the payment of a ransom to
cybercriminals; and
— promoting information sharing and advice to assist industry, businesses and the community to make
informed decisions before, during and after ransomware incidents.

Future and ongoing work to support response initiatives include:

— legislative reforms to ensure law enforcement can investigate and seize ransomware
payments; and,
— legislative reforms to specifically mandate ransomware incident reporting to the
Australian Government.

The Australian Government’s policy is that it does not condone paying ransoms to cybercriminals.
There is no guarantee that the payment will lead to your data being recovered, that the data
won’t be on-sold, or that you will not be attacked again.

8 RANSOMWARE ACTION PLAN

Disrupt and Deter

Engaging in disruption and deterrence measures directly aimed at ransomware perpetrators is a

key aspect of Australia’s arsenal. This is achieved through cyber offensive capabilities and deterring
cybercriminal strategies and business models. By taking an offensive approach, perpetrators are less likely
to assess Australia as a vulnerable target.
Current and immediate initiatives include:

— establishing a new multi-agency law enforcement operation led by the Australian Federal Police
(Operation Orcus) to crack down on the rising ransomware threat, both in Australia and overseas;
— strengthening Australia’s capability to counter cybercrime through a $164.9 million investment,
including $89.9 million to equip the Australian Federal Police with an additional 100 personnel to
identify, investigate and target cybercriminals through Australia’s Cyber Security Strategy 2020;
— establishing new powers through the Surveillance Legislation Amendment (Identify and Disrupt)
Act 2021, to equip the Australian Federal Police and the Australian Criminal Intelligence Commission
to identify individuals and their networks engaging in serious criminal activity on the dark web
through network activity, data disruption and account takeover warranted powers;
— in 2016, establishing the Australian Cyber Security Centre as the standing taskforce that combines
the expertise of foreign and domestic law enforcement and intelligence agencies to fight cybercrime,
including countering ransomware;
— utilising the Australian Signals Directorate’s offshore offensive cyber capabilities to disrupt foreign
cybercriminals targeting Australian households and businesses;
— working with international partners to coordinate international disruption effort; and
— collaborating with states and territories to develop the next National Plan to Combat Cybercrime,
which will bring together the powers, capabilities, experience and intelligence of all our jurisdictions to
build a stronger operational response to cybercrime harming Australia and Australians.

Future and ongoing work to build disruption and deterrence initiatives include:

— legislative reforms to ensure that cybercriminals are held to account for their actions,
and harsher penalties apply to those who engage in ransomware or target Australia’s
critical infrastructure;
— joint operations with international counterparts to strengthen shared capabilities to detect,
investigate, disrupt and prosecute malicious cyber actors that engage in ransomware;
— actively calling out states who support or provide safe havens to cybercriminals; and
— tackling cryptocurrency transactions associated with the proceeds of ransomware crimes.

RANSOMWARE ACTION PLAN 9

Future

The world has never been more interconnected and our We will:
reliance on the internet to fuel Australia’s prosperity and — take action to become a hardened target for
maintain our way of life has never been greater. criminals seeking to disrupt and profit from
Australian business and individuals;
Australia’s response to the COVID-19 pandemic has
shown the importance of secure online connectivity. — launch additional operational activity to
target criminals attacking Australia through
It has also shown Australians’ resilience and resolve
ransomware; and
to work towards a common goal. That same
whole-of-nation partnership between government, — build better resilience by reviewing our
regulations and strengthening our measures
businesses and the community must also be applied
while further criminalising ransomware,
to ensuring Australia is cyber secure. including harsher penalties for those who
attack Australia’s critical infrastructure.
By complementing a range of existing initiatives, this Plan
will ensure that cybercriminals and ransomware have no Together we will grow Australia’s future as a modern and
place in Australia. leading digital economy – safely, securely and with the
highest levels of trust and confidence.

Together we will grow Australia’s future as a modern and leading digital economy
– safely, securely and with the highest levels of trust and confidence.

10 RANSOMWARE ACTION PLAN

c