Ransomware attacks remain the most destructive online crime, the Australian Cyber Security Centre says in its annual report for the period July 2021 to June 2022, claiming the groups had additionally resorted to stealing and releasing personal data to achieve their ends.
Ransomware attacks are more or less exclusively limited to systems running versions of Microsoft’s Windows operating system.
This was one of the trends that the ACSC mentioned, but most of the others — cyber space has become a battleground, Australia’s prosperity is attractive to cyber criminals, Worldwide, critical infrastructure networks are increasingly targeted and the rapid exploitation of critical public vulnerabilities became the norm — are hardly new.
The report said losses in business email scams had risen to $98 million, the cost of a network attack had risen by 14%, common software flaws reported had risen by 25% and up to 200,000 routers used in homes and office were open to compromise.
|
|
The report also listed many actions initiated by the Centre, including responding to 135 ransomware incidents, which it claimed was a rise of 75% from 2019-20.
But the ACSC’s own report last year said there had been 500 ransomware incidents reported.
The report said the highest reported losses to online crime were in the Northern Territory ($40,000) and Western Australia ($29,000).
The most frequently reported online crimes — called cyber-enabled crime — were online fraud (27%) online shopping (14%) and online banking (13%).
“Cyber-dependent crimes, such as ransomware, were a very small percentage of total cyber crime reports,” the report said. “Nevertheless, the ACSC assesses that ransomware remains the most destructive cyber crime threat.
“This is because ransomware has a dual impact on victim organisations — their business is disrupted by the encryption of data, but they also face reputational damage if stolen data is released or sold on. The public are also impacted by disruptions and data breaches resulting from ransomware.”
The full report can be read here.
Commenting on the report, Satnam Narang, senior staff research engineer at security firm Tenable, said: “While it’s noteworthy that the ACSC responded to 135 ransomware incidents, a 75% increase compared to 2019-20, it also saw a 10% decrease in the number of ransomware cyber crime reports in 2020-2021.
“What’s most important to recognise about ransomware attacks is that the figures can be misleading, as some organisations won’t report these incidents. Many organisations are not legally obligated to report unless personal information is compromised, and unless such an incident will likely result in, or likely cause serious harm to the individual whose information was compromised or exposed.
“Another noteworthy element of this report is that the education and training sector reported the most ransomware incidents in 2021-2022, rising from the fourth spot in 2020-2021.
“In Tenable’s 2021 Threat Landscape Retrospective report, we observed that ransomware attacks accounted for 52% of all attacks in the education sector. It’s no surprise that education remains one of the top targeted sectors around the world and will continue to be vulnerable, along with hospitals and government agencies.
“Additionally, some ransomware incidents remain hidden because the victims will pay the ransomware groups before the threat of public exposure is made. It’s also possible that, despite the decrease in the number of ransomware incidents, the payments made to ransomware groups are likely higher than in previous years, as evidenced by recent reports from the US that found US$1.2 billion in ransomware payments processed by US banks in 2021.
“It’s abundantly clear that ransomware remains the biggest threat to organisations of all sizes in Australia and the rest of the world.”
Alyssa Blackburn, director of Information Management at independent SaaS vendor AvePoint, said: “Australia’s Privacy Act is outdated and no longer reflects the nature of the modern workplace or modern consumer behaviour, nor does it address the complexity and sophistication of today’s security and threats landscape.
“Penalties that can be applied under the act are limited and do not act as a deterrent. At this stage, and with the rapid pace of digital transformation and adoption, simply updating the Privacy Act would not suffice as a way of keeping Australian businesses and citizens’ data secure.
“There needs to be a holistic overhaul of the way data is captured, managed, protected and retained. This includes both simplifying and expanding the regulations around data retention, designing and implementing a strong regulatory framework, and introducing a Data Commissioner.”
Ashwin Pal, director of Cyber Security and Privacy Risk Services at audit, tax and consulting firm RSM Australia, said new mandatory reporting obligations on critical infrastructure entities would not commence until 8 July – after the ACSC’s annual reporting period.
“Next year’s report will likely show a spike in incidents because the new laws capture a considerably larger group of industries and infrastructure assets,” he said.
“They also give the Australian Government ‘walk-in’ rights to manage a serious cyber attack if it’s not being managed properly and is compromising the provision of essential services.”
He said the Russia-Ukraine war highlighted the increasing role that cyber and, specifically, cyber warfare, could play in conflict.
“It clearly shows that cyber is the fourth frontier in warfare now alongside land, air, and sea. This also demonstrates the vulnerability of nations as they become more connected and the need to identify key assets and manage their vulnerabilities – a key objective of Australia’s new critical infrastructure laws.”
Graphic courtesy Australian Cyber Security Centre
