Ransomware remains the most destructive cybercrime: ACSC

Ransomware tops of the list of threats to Australian online security according to the third Annual Cyber Threat Report by the Australian Cyber Security Centre (ACSC), a part of the Australian Signals Directorate (ASD).

The Report is the product of insights from across the Commonwealth, with the Australian Federal Police, the Australian Criminal Intelligence Commission, the Australian Security Intelligence Organisation, Defence Intelligence Organisation and the Department of Home Affairs also contributed.

The ACSC received over 76,000 cybercrime reports on 2021-2022, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.

There was also a rise in the average cost per cybercrime report to over $A39,000 for small business, $A88,000 for medium business, and over $A62,000 for large business

Ransomware remains the most destructive cybercrime according to the ACSC.

“The ACSC received 447 ransomware cybercrime reports via ReportCyber. While this is a 10 per cent decrease compared with the 2020–21 financial year, reports remain higher than in 2019–20. It is also likely that ransomware remains significantly underreported, especially by victims who choose to pay a ransom.”

A 2022 study published by the Australian Institute of Criminology found only 19 per cent of ransomware victims sought advice or support from police or the ACSC. However, the study found nearly 60 per cent sought help from at least one formal source outside of their family or friends. The study found 23.2 per cent of small to medium business victims paid the ransom, with many millions of dollars being paid in ransoms and other associated costs.

“The education and training sector reported the most ransomware incidents in 2021–22, rising from the fourth-highest reporting sector in 2020–21. The threat to the education and training sector is significant as its business model favours open collaborative environments. Remote learning during the coronavirus pandemic also introduced large numbers of personal devices and new software into this sector.

“Ransomware groups have further evolved their business model, seeking to maximise their impact by targeting the reputation of Australian organisations. In 2021–22, ransomware groups stole and released the personal information of hundreds of thousands of Australians as part of their extortion tactics. The cost of ransomware extends beyond the ransom demands, and may include system reconstruction, lost productivity, and lost customers.”

The ACSC responded to 135 ransomware incidents in 2021-22, an increase of over 75 per cent compared to 2019–20.  It notified 148 entities of ransomware activity on their networks.

“Cyber dependent crimes, such as ransomware, were a very small percentage of total cybercrime reports. Nevertheless, the ACSC assesses that ransomware remains the most destructive cybercrime threat. This is because ransomware has a dual impact on victim organisations - their business is disrupted by the encryption of data, but they also face reputational damage if stolen data is released or sold on. The public are also impacted by disruptions and data breaches resulting from ransomware,” the report notes.

“The evolution of Cybercrime-as-a-Service (CaaS) continued to increase the overall cybercrime threat to Australia. The expansion of the CaaS industry has lowered the barrier to entry for actors seeking to conduct cybercrime. For instance, Ransomware-as-a-Service (RaaS) provides actors who may not have the technical skill to develop their own ransomware with an opportunity to launch highly profitable attacks. In addition, the CaaS industry allows actors to monetise their expertise in a particular skillset. As a consequence, cybercriminals have become more specialised over 2021–22, and pose a greater threat to Australians and businesses.”

“Ransomware is a cyber dependent crime which can impact everyone from consumers through to countries. For example, the Costa Rican Government declared a state of emergency in May 2022 following ransomware attacks on nearly 30 government institutions, including its health, finance, energy and social services departments. While Australia has not experienced an incident of this scale, the potential remains for cybercriminals to cause widespread disruption.

“Top-tier ransomware groups are continuing to target Australian ‘big game’ entities—organisations that are high profile, high value, or provide critical services. While global trends indicate a decline in ‘big game’ targeting and a shift towards targeting small and medium sized businesses, that change has yet to be seen in Australia.

Dr Lennon Chang, Criminology, School of Social Sciences at Monash University said, ““There is no big change in terms of cybercrime types compared to last year’s report. Money is still the main purpose for cybercriminals.

“The line between cybercrime and national security is becoming blurred. Cyberattack and cybercrime are now part of cyberwar. Cybercrime can become a national security issue, given the current landscape.

“More attention and resources need to be applied to understanding disinformation and developing countermeasures for the same. It is important for the Australian Government to work closely with its allies, including Taiwan.”

Case Study: Local council ransomware incident

In April 2022, a NSW council was targeted by a ransomware incident. The initial access occurred at least 2 weeks before the incident, with the malicious actor likely timing the incident to occur over the Easter long weekend.

Manual processes were immediately implemented to manage water-quality testing and level monitoring, and temporary servers were established within 24 hours to restore remote monitoring.

The incident impacted a wide range of business operations, including council minutes, employee financial data, and systems responsible for monitoring water quality. The incident also had a huge impact on council technology staff, who worked 40–80 hours overtime a week during their initial response.

The council engaged a commercial incident response provider, and its Managed Service Providers (MSP) deployed additional capabilities. The ACSC provided advice to the council and warned ACSC partners in the water sector to be alert to possible ransomware targeting.

The incident demonstrates the interplay between IT, operational technology, and the physical environment. The initial access through a legacy entry point impacted multiple systems, including operational technology systems, which meant that council workers had to manually test water quality and levels following overnight rain. A swift response by the council, its MSP, and the ACSC ensured there was no compromise of water or sewage services. The council’s MSP continues to monitor the darkweb for data leaks.

The case study demonstrates the importance of decommissioning legacy systems and erecting firewalls between IT and operational technology systems.

Case Study: Australian social assistance organisation

In March 2022, an Australian social assistance organisation was targeted by ransomware resulting in the theft of data. The malicious actor gained access to the organisation’s servers through exploiting an unpatched version of Microsoft Exchange.

Within 4 days, the malicious actor moved from initial access to encryption. The organisation’s Chief Information Security Officer told the ACSC, “it spins my head about how quickly they were able to move around the network”.

The organisation identified that its systems had been encrypted and immediately notified Commonwealth and state agencies. It engaged its existing commercial incident response provider to provide technical support and conduct an investigation.

The organisation credits its ability to recover so quickly to maintaining a strong relationship with their incident response provider and moving to cloud-based backups in the months before the incident. Remediation and related network security improvements cost approximately $A200,000, which was substantially less than the ransom demanded.

Since this incident, the organisation continues to monitor for residual risk, and is hardening its cyber defences more broadly, including enhanced restrictions for applications, and better managed network awareness.

During the organisation’s engagement with the ACSC, it shared indicators of compromise, which the ACSC shared through the CTIS portal. This enabled other organisations to better protect themselves, ultimately strengthening the security of Australian organisations.

Read the report in full