Aussie Businesses Now Have To Fess Up When They Pay Off Ransomware Crims

Australia now requires large companies to inform the government if they have paid off ransomware perps.

The requirements, as set out in the Cyber Security Bill 2024, kicked in on Friday, May 30. Any business turning over more than AUS $3 million ($1.92 million) must report ransomware payments within 72 hours to the Australian Signals Directorate (ASD).

Technically, it's not illegal for Aussie firms to pay ransoms, whether to unlock encrypted data or delete stolen files, but the ASD doesn't recommend it. In its last annual report, it says it investigated 121 cases, which suggests not many people are reporting incidents of this kind of crime. That should change with the legislation.

Australia's Department of Home Affairs is giving companies a six-month grace period during which they'll only go after "cases of egregious non-compliance," it said in a fact sheet [PDF], but starting in 2026 reporting will be mandatory for those companies large enough to qualify. Failure to do so will result in a fine equal to 60 penalty units, which is currently AUS $19,800 ($12,700) but is likely to rise.

Companies will need to supply their Australian Business Number, along with details of when the attack occurred, if data was stolen or encrypted, what (if any) vulnerabilities were exploited, an estimation of the cost to the business, and the amount of ransom paid - and in what currency.

• Cybercrooks are targeting Bengal cat lovers in Australia for some reason
• UK, US, Oz blast holes in LockBit's bulletproof hosting provider Zservers
• Files stolen from NSW court system, including restraining orders for violence
• UK floats ransomware payout ban for public sector

The government says it wants the data so that it can ascertain which are the most common ransomware types hitting Australian businesses and gauge the scale of the problem. It also wants the information in case further legislation on cybercrime is needed.

That said, given the high threshold, fewer than 7 percent of registered businesses would be subject to the requirement, according to [PDF] the Australian government. But these are the largest businesses and logically should have the most customer information at risk.

Australia's move has precedent. Under the Biden administration, the US passed a law [PDF] requiring the Cybersecurity and Infrastructure Agency (CISA) to come up with rules for reporting ransomware payments, but those rules are reportedly not due until October of this year.

The UK is also mulling new legislation on ransomware. The proposals currently under consideration include a complete ban on public sector organizations paying ransoms, mandatory reporting by larger businesses like the Australian system, and a "ransomware payment prevention regime," whereby those afflicted would have to apply for government permission before paying any ransom. ®