By: Kieran Doyle, Nicole Gabryk, Rakhee Dullabh and Rebecca Wilson
At a glance
- In early October 2024, Australia imposed sanctions on three Russian nationals linked to the Evil Corp cybercrime group.
- The Cyber Security Bill 2024 aims to strengthen Australia’s defences against ransomware and cyber threats.
- Businesses must seek legal guidance to ensure compliance with evolving sanctions and ransomware reporting laws.
Background
Earlier this month, Australia imposed financial sanctions and travel bans on three Russian citizens for their involvement in the Evil Corp cybercrime group.
In this article, we summarise the current landscape of cyber sanctions in Australia, legal considerations for payment of a ransom, as well as upcoming reforms expected in this space.
Cyber sanctions framework
In Australia, the Autonomous Sanctions Act 2011 (with related regulations and instruments) establishes a regime where certain individuals or entities can be “designated” as sanctioned, if the Minister for Foreign Affairs is satisfied they have caused, or have assisted/attempted to cause, a significant cyber incident (Autonomous Sanctions Regime).
It is a criminal offence to directly or indirectly make an asset available to, or for the benefit of a sanctioned person or entity. Offences also apply to deal with an asset a sanctioned person owns or controls. The prohibition on ‘dealing’ with assets includes using, selling or moving assets, as well as facilitating access to an asset.
Recent cyber sanctions on threat actors
Australia’s first cyber sanctions were imposed in January 2024 on Aleksandr Ermakov, a Russian national involved in the 2022 Medibank cyber incident.
In May 2024, sanctions were imposed on Dmitry Yuryevich Khoroshev, a senior leader of the LockBit group.
On 2 October 2024, sanctions were imposed on Maksim Viktorovich Yakubets, Igor Olegovich Turashev and Aleksandr Viktorovich Ryzhenkov who hold senior roles at the EvilCorp group.
Bill introduced to Parliament
On 9 October, the Cyber Security Bill 2024 (Bill) was introduced to parliament by Minister Tony Burke, which aims to strengthen Australia’s defences against ransomware and cyber threats.
Key measures include mandatory reporting of ransomware payments, stricter security standards for smart devices, and the creation of an independent cyber incident review board.
The Bill also updates the Security of Critical Infrastructure (SoCI) Act to enhance risk management for critical infrastructure and streamline reporting.
What does this mean for ransom payments?
There are a number of practical and legal considerations for entities before any ransom payment is made:
- Obtaining legal advice before any payment is made is fundamental to ensure compliance with evolving sanctions and current laws.
- New laws around ransom reporting should be factored into incident response planning.
As the cyber threat landscape continues to develop, organisations must adapt their response strategies to remain aligned with Australian law and best practices in cybersecurity.