InfoSecBulletin Cybersecurity for mankind
New ransomware payment reporting rules take effect in Australia yesterday (May 30) for all organisations with an annual turnover of AUS $3 million ($1.93 million).
Australia’s Cyber Security Act 2024 applies to private companies managing critical infrastructure assets.
Organizations must report any ransomware payments to the Australian Signals Directorate (ASD) within 72 hours of making the payment or being informed of it.
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
The report must include the following information:
The ransomware payment amount demanded and paid
The method of provision that was demanded and used
Details on the nature and timing communication with the attackers
The requirements do not apply to public sector bodies.
Failure to comply can result in civil penalties.
Australia is the first country to require mandatory reporting of ransomware payments.
Australia’s Cyber Security Act 2024 requires smart device manufacturers to meet new security standards starting in 2026.
The law will establish a new Cyber Incident Review Board to evaluate major cybersecurity incidents after they occur. This could see senior executives face scrutiny over the cyber strategy decisions.
Reporting Rules Aim to Boost Ransomware Visibility:
The new rules aim to make it easier to see ransomware attacks, assisting government and law enforcement in their efforts to fight against threat actors.
Ransomware incidents are likely underreported. The Australian Institute of Criminology found that only one in five victims report cyber-attacks to authorities.
The requirement to make payments public could also serve as a deterrent to ransomware victims to pay their extorters.
Commenting on the reporting rules, Tim Dillon, Director of Professional Services, APAC, NCC Group, said: “The introduction of Australia’s latest cybersecurity laws is a significant step in bolstering national digital resilience against an ever-evolving threat landscape. Governments and regulators globally are grappling with limited visibility into cyber risks – particularly ransomware – which hinders their ability to effectively detect, disrupt, and deter cyber-attacks.”
The UK government is currently seeking input on plans to make reporting ransomware incidents mandatory and to prohibit payments by public sector and critical infrastructure organizations.
Recent research has shown that more victims of ransomware are refusing to pay attackers, with Chainalysis finding that payments fell 35% in 2024 compared to 2023.
