Corporate Australia’s dirty little secret: Paying ransoms to cyber attack gangs to recover data
Australian companies are paying million-dollar ransoms to criminal gangs – despite stern warnings from police as extortion and attacks continue.
True Crime
Don't miss out on the headlines from True Crime. Followed categories will be added to My News.
Companies are defying federal government advice and the wishes of shareholders by paying ransoms to criminal hacking gangs to recover their data, experts said.
But ransom payments are largely kept secret, with none of the eight companies to publicly reveal an attack in the past four years admitting to making one.
Cyber extortion attempts are soaring, with 16 successful attacks on Australian targets in November alone, according to research by cybersecurity group CyberCX.
Home Affairs Minister Clare O’Neil has previously indicated the government might make paying ransoms illegal but on Friday said the issue would be examined by an expert board, helmed by former Telstra boss Andy Penn, charged with developing strategies to fight cyber criminals.
“When Australian companies pay ransoms we are essentially seeding this terrible business model,” she told Sky News. “I don’t want Australia to be a soft target and if we have a system where the default is you pay the ransom and think you are getting yourself out of trouble then we’ve got a real problem as a country.”
Experts said the hacking gangs behind attacks such as the recent assault on Medibank and Optus are usually professional and well-organised, and the decision on whether to pay ransoms takes into account the individual crime ring’s track record of fulfilling promises not to release data or unlock crippled computer systems.
Payments are often organised by insurers and made in cryptocurrency – often bitcoin but in some cases so-called “privacy coins” that are harder to trace.
“People pay all the time,” Chris Rock, the chief information security officer at SIEMonster, which sells software to defend against cyber attacks, said.
“I know the ones I’ve been involved with, those people have paid.”
Estimates of the proportion of companies that pay up vary from 20 per cent to 80 per cent. The average ransom demand is about $1m, according to research by forensic accounting firm McGrath Nicol.
Andre Louw, a veteran insurance industry executive and the chair of broking group Howden Australia, said most policies covering cyber attacks included paying for ransoms, although some insurers have started to limit payouts because of the surge in attacks.
“It’s fair to say all of our clients who buy cyber would expect the policy to respond to a ransom claim,” Mr Louw said.
Over the past four years six corporate victims of attacks – Medibank, Optus, Woolworths, Nine Entertainment, tech group Appen, property valuation firm Landmark White (now known as Acumentis) and financially troubled cosmetics conglomerate BWX, which is the home of Zoe Foster-Blake’s skincare brand Go-To – did not pay ransoms.
Two, information technology company Data #3 and theme park operator Ardent Leisure, did not respond when asked if a ransom was demanded or paid.
Over the same period just one organisation, a group of heart doctors who operate from Cabrini Hospital in Melbourne, has said it paid a result of a ransomware attack.
Melbourne Heart Group, which declined to comment, paid a ransom to hackers in 2019 in order to unlock the data of more than 15,000 patients.
Mr Rock said Medibank “let their members down” by following federal police advice and refusing to pay a $15m ransom to Russian hackers who obtained details of more than 9.7m current and former customers.
Earlier this month the crime gang released gigabytes of customer data, including information on medical claims, and declared “case closed”.
In general, paying ransoms is not illegal. However, Australian Federal Police advice is that ransoms should never be paid.
“Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” an AFP spokesperson said.
Rachel Waterhouse, the chief executive of the Australian Shareholders Association, which represents mum-and-dad investors, said her organisation “does not support companies making ransomware payments to cyber criminals”.
But Nicholas Pockl-Deen, who heads the incident response team at information security company Gridware, said companies “absolutely” paid ransoms and cautioned outlawing the practice could send victims broke.
He said he had personal experience of “certain scenarios where if a ransom payment isn’t made, that could ultimately be the end of that business resulting in hundreds of people losing their jobs”.
Aussie corporate cyberattacks since 2018
• November 2022: Financially troubled cosmetics group BWX, which last year paid Zoe Foster-Blake $89m for half of her skincare brand Go-To, reveals that the credit card numbers and expiry dates of up to 2500 customers of its Flora & Fauna online shop may have been filched using “malicious code unlawfully inserted” into the website. No ransom was demanded or paid.
• October 2022: Medibank reveals hackers have stolen details of more than 9.7m current and former customers, including names, dates of birth, Medicare numbers, phone numbers and claims data. A ransom was demanded but Medicare refused to pay. The AFP is investigating.
• October 2022: Hackers gain access to the customer database of Woolworths subsidiary MyDeal, obtaining personal information including names, phone numbers and addresses – as well as the dates of birth of customers who bought alcohol. The company hasn’t had any contact with the hackers and hasn’t paid a ransom. The AFP is investigating.
• September 2022: Optus admits hackers have downloaded the personal details of 9.8m current and former Optus customers, rendering about 10,000 Australians vulnerable to identity theft because information such as drivers license or passport numbers had been exposed. Hackers initially asked for a ransom but then dropped the demand. The AFP is investigating.
• March 2021: A cyber-attack targets media group Nine Entertainment, taking down broadcast and corporate systems and forcing the company to scramble to get TV shows to air and its newspapers out. Nine did not pay a ransom.
• July 2020: Hackers get into tech company Appen’s systems, obtaining data including customer and company names, email addresses, and some phone numbers. No ransom was requested or paid.
• February 2019: Property valuers Landmark White reveal hackers have obtained customer information including names, residential and business addresses, email addresses, phone numbers and, in some cases, information about property valuations. As a result, CBA, ANZ and other banks temporarily stop using the company, costing it up to $7m in lost revenue and other expenses. A second attack in May 2019 results in company documents being posted on the internet. No ransom was demanded or paid. An IT contractor to the company, Stephen Grant, was charged over the attack but was acquitted of all charges in May last year.
• November 2018: Shipbuilder and security contractor Austal says it’s been the victim of a breach “by an unknown offender” but there is no evidence information affecting national security was taken. A ransom was demanded but the company did not pay.
More Coverage
Originally published as Corporate Australia’s dirty little secret: Paying ransoms to cyber attack gangs to recover data
Inquest begins into death of mum ‘eaten by dogs’
Lasonya Dutton’s decomposed body was found just metres from her family’s kitchen window, sparking a years-long quest for answers. Now, the coroner has stepped in.
Beaumont children: The story behind Adelaide’s greatest mystery
After many false leads and two unsuccessful digs, a third search at an Adelaide factory will seek answers to the Beaumont kids’ disappearance. Will new evidence solve the mystery?