Australia considers banning ransom payment
There has long been a spirited debate about whether to pay a ransom. Some legitimately make the case that making these payments encourages and funds the ransomware industry. Others point out that not everyone gets their full data back. Others still emphasize that those companies that do pay are often subject to multiple attacks, as they are known to be easy to compromise and likely to pay, and in some cases, it is thought that the attackers may leave back doors and ways to compromise the systems even when ransoms are paid.
But even those who might feel that paying a ransom is the wrong idea in may sacrifice principles over survival if their data is compromised and their business is threatened.
This week, the Australian government said it was giving serious consideration to banning ransom payments. A report in the online journal The Record said, “Clare O’Neil, the minister for home affairs and cybersecurity, confirmed to Australia’s public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government’s cyber strategy.”
This comes in the wake of the large Australian financial institution Medibank’s refusal to pay a ransom, even though it led to a massive disclosure of customer information and a large drop in their share price.
While corporate resistance like that of Medibank is relatively rare, the idea of making ransom payment illegal has been floating around for a few years. Proponents say that it will bring ransomware gangs to a halt, pointing out the way in which massive law enforcement has halted gangs in the past. Critics say that it will just drive the issue underground, and companies will be reluctant to report payment and lead to less action by law enforcement.
Despite the differing opinions, Australia seems determined to stamp out ransomware attacks. Minister O’Neil vowed that Australia would provide resources that would “day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people.” Australia will also establish a voluntary international “Counter Ransomware Task Force.”
The real cost of ransomware – more than simply the ransom
The Royal United Service Institute (RUSI), a UK group with a 200 year history, has launched a study called Ransomware Harms and the Victim Experience, which looks at the total impact of ransomware on victims, economies, and societies.
The study comes in the wake of a number of devastating ransomware attacks on healthcare and critical infrastructure in the UK, as well as the “normal” corporate attacks that have become so prevalent.
The study aims to look at three key areas:
- The harm in the wider sense, e.g., physical, economic, societal, psychological, to organizations and individuals
- How a ransomware attack is experienced by victims, as well as what factors aggravate or reduce the negative experience(s)
- How to measure the scale of, and types of harms caused by ransomware to the UK economy
According to the RUSI website, the study will “combine an extensive literature review, workshops with industry and government stakeholders, and interviews with victims of ransomware. This will involve engagements with a diverse global community, law enforcement, policymakers, insurance professionals, cyber security and incident response experts, data breach lawyers, and businesses.”
They invite anonymous participation in their study, presumably from UK companies.
Microsoft warns of ransomware attacks via Google ads
Microsoft’s Security Threat Intelligence team has issued a warning about campaigns to distribute ransomware using Google Ads. Microsoft first spotted this development in October 2022, and is tracking the group distributing Royal Ransomware under the name DEV-0569.
Royal Ransomware has also been reported by Fortinet as a new operation, first seen in early 2022. The group uses no one attack vector, and seems to focus on the individual weaknesses in its victims.
Microsoft echoes this assessment, stating that “Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.”
In the most recent reports, the group is leveraging “malvertising” to lure victims to malware downloader links posing as legitimate downloads of apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.
Ransomware – a new meaning to “sowing Discord”
Discord is a free chat app used by gamers, and also used for NFT platforms and cryptocurrency groups. These groups and this platform are now being targeted by the group associated with the AXLocker ransomware strain.
The ransomware attack not only encrypts files, it also is reported to steal the Discord tokens, compromising the account and potentially the communities that the user is involved in. This risk of compromised accounts could have a chilling impact on the Discord app.
Security blog Bleeping Computer, which noted the attack this week, recommended anyone affected should immediately change their Discord password in addition to taking other steps to recover.