Ransoms: Forget Mandatory Reporting, Just Prosecute

By Ravi Nayyar

21 min readJun 28, 2021

Ransomware is more than just a topic of water cooler conversation. It is a source of systemic risk for our societies and economies. I’ll let Europol explain:

Ransomware remains one of the, if not the, most dominant threats, especially for public and private organisations within as well as outside Europe…
Criminals continued making their ransomware attacks increasingly targeted. Ransomware has shown to pose a significant indirect threat to businesses and organisations, including in critical infrastructure, by targeting supply chains and third-party service providers.

There has been much chatter of late about how to deal with the specific issue of ransom payments. Do we do mandatory reporting regimes? Prosecution for money laundering? Ban payments? Rely on financial crime prevention obligations for virtual asset providers?

I will probe these questions. After introducing the threat from ransomware and the nature of the ransomware economy, I will look at some options to take down the latter. I will then evaluate two options: prosecution of the officers who are involved in the decision by victim entities to pay ransoms for money laundering; and mandatory reporting of ransom payments.

I will argue that prosecution is to be preferred over a mandatory reporting regime. In doing so, I will propose enactment of section 400.8A by amendment to the Criminal Code Act 1995 (Cth) if existing money laundering offences are held to not apply to the involvement of officers of a victim entity in the latter’s decision to pay a ransom.

Why is Ransomware Such a Massive Threat?

Ransomware is spoken of by governments in a manner similar to which they speak about major crime types like terrorism. Take Australia. The Australian Federal Police refers to terrorism as ‘a major security challenge for Australia’. The Commonwealth Department of Home Affairs’ Cyber Security Industry Advisory Committee refers to ransomware as ‘one of Australia’s fastest escalating threats’. The Australian Cyber Security Centre (‘ACSC’) highlighted that ransomware, over the year between July 2019 and June 2020, ‘has become one of the most significant cyber threats facing the operation of private sector organisations’.

Even the outcomes of terrorist and ransomware attacks can be quite similar. Infrastructure which depends on computers is neutered whether those computers are destroyed by an IED or left incapacitated by a ransomware infection. The compromise of said infrastructure — especially if it underpins critical services like electricity generation, water treatment, public transport and healthcare delivery — can have devastating impacts on populations who rely on these services. These impacts can be physical, with the compromise of patient care, as explained by the CyberPeace Institute:

Ransomware creates both an immediate risk to patient care and long-lasting impact on healthcare organizations. The escalation of ransomware attacks are particularly dangerous as they put both patient care and healthcare sector capability in jeopardy… As a result, healthcare organizations suffer from costly and time-consuming disruption, requiring funding to recover and improve their systems, re- train staff, and manage reputational damage. Losing access to medical records and life-saving medical devices obstructs the healthcare professionals’ ability to effectively care for their patients immediately and in the long run.

The impacts can also be psychological, with studies of Israeli adults finding similarities in the anxiety and fear that were experienced by subjects after an act of conventional ‘kinetic’ terrorism to that after an act of cyber terrorism.

The world has seen hundreds of hospitals, schools and local governments being targeted in ransomware attacks in recent years. Surgeries postponed. The economy of Ukraine and a fifth of world shipping grounded to a halt in the same attack. Per the OECD, ‘governments, public and private organisations as well as individuals have become dependent on the digital environment for their core activities’. Ransomware groups weaponise said dependence by bringing that ‘digital environment’ to a halt.

So we know ransomware is not a mere romance scam. How does its economy run?

What is the Ransomware Economy Built on?

Ransomware is built on a well-oiled business model. In addition to becoming more prolific, the purveyors of ransomware have become increasingly crafty in their tactics, techniques and procedures (‘TTPs’). For example, they conduct greater reconnaissance of targeted networks to inform their ultimate attacks and gauge the targeted entity’s capacity to pay ransoms.

Since the advent of ransomware-as-a-service (‘RaaS’), whereby the ransomware supply chain is broken up into elements that criminal entities specialise in, the barriers to entry for engaging in ransomware attacks have been lowered. Under the RaaS model, ‘attackers known as affiliates “rent” usage of a particular ransomware strain [aka type] from its creators or administrators, who in exchange get a cut of the money from each successful attack affiliates carry out’.

What fuels the entire business model is, of course, in the very name. Ransom. Ransom payments tend to be denominated in virtual assets, to use the terminology of the Financial Action Task Force (‘FATF’). Similar to how fiat currencies fuel terrorism, and serious and organised crime, virtual assets are a large part of the oil which makes the ransomware machine what it is.

And more so of late: blockchain forensics company, Chainalysis, observed a 337% rise in known ransom payments from 2019 to 2020, reaching over $400 million worth of virtual assets. The average ransom payment has grown over four-fold between Q4 2019 and Q1 2021.

The prevalence of virtual assets as the instrument of choice for ransom payments is also implied by how major ransomware attacks are followed by blog posts from forensics companies analysing where the ransom payment went and to whom. For instance, Elliptic provided an analysis of the movement of the bitcoins paid by Colonial Pipeline and other entities targeted with the DarkSide ransomware strain.

So, we know that ransomware attacks, like all forms of criminality and terrorism, are underpinned by the payment of something of value to the perpetrators and facilitators thereof. After all, why else demand said payments in the first place?

How Do We Target the Ransomware Economy?

So how do we bring down the ransomware economy?

AMLCTF

Well, advanced economies like Australia have drafted virtual asset service providers (‘VASPs’) like (depending on the jurisdiction) exchanges and custodian wallet providers into the fight against financial crime denominated in virtual assets via amendment to their anti-money laundering and counter-terrorism financing (‘AMLCTF’) laws. Apart from the general financial crime risk posed by virtual assets, a motivator for this was the amendment of the FATF Recommendations in October 2018 to require the regulation of VASPs.

Countries have imposed the same or similar obligations on VASPs as, say, traditional reporting entities like banks, casinos and payment processors. This is with the aim of providing greater financial intelligence to law enforcement agencies about criminality exploiting virtual assets, such as ransomware actors. That intelligence should enable agencies to identify and prosecute said criminality.

Prosecute the Officers

One way to target the ransomware business model is, by default, prosecuting the officers of victim entities, who are involved in the decision of said entities to pay ransoms, for money laundering. In the Australian context, I suggest prosecuting them under Criminal Code Act 1995 (Cth) ss 400.8(2) or 400.8(3) as appropriate on the facts (see the below image for the text of the provisions).

Virtual assets are considered property under Australian law, bringing the ransom payment within the definition of ‘property’ under the Criminal Code Act 1995 (Cth) s 400.1. The victim entity would, via the decision of its officers, ’deal with’ the virtual assets constituting the ransom payment because the entity is disposing of them (section 400.2(1)(a)) by paying the affiliate.

Ransom payments themselves are at least highly likely to form the instruments of crime for the ransomware affiliate, that is (per section 400.1):

property… used in the commission of, or used to facilitate the commission of, an offence against a law of the Commonwealth, a State, a Territory or a foreign country that may be dealt with as an indictable offence (even if it may, in some circumstances, be dealt with as a summary offence).

Cybercrime would arguably fit within the definition of the relevant offence here. For example, per section 4G of the Crimes Act 1914 (Cth), an indictable offence is an offence against the law of the Commonwealth which is punishable by a prison sentence of more than a year. Cybercrime offences that criminalise ransomware attacks under part 10.7 of the Criminal Code Act 1995 (Cth) all attract such a prison sentence.

And, to reiterate, why else would the ransomware affiliate demand the ransom in the first place if the ransom were not to contribute to their revenues and thus investment in committing further acts of cybercrime, that is, launch further ransomware attacks?

Such is the broad wording of the Criminal Code Act 1995 (Cth) ss 400.8(2)-(3) (see above image) that the defendant could be held guilty merely if:

they deal with ‘money or other property’;
‘there is a risk that the [ransom payment] will become an instrument of crime’; and
the defendant is either reckless (s 400.8(2)) or negligent (s 400.8(3)) as to the fact of said risk.

Given the circumstances in which ransoms tend to be paid, it is quite likely that the victim entity’s officers who are involved in the decision to pay possess either of these mens rea elements. One can safely assume that the officers would not intend that the ransom payment be used by the ransomware affiliate to commit further computer offences (and thus be captured by section 400.8(1)). Rather, they make the payment despite being aware of the risk of that the virtual assets will become the instruments of crime. They would thus be reckless or negligent as to the risk.

If existing money laundering offences are held to not apply to the involvement of officers of a victim entity in the latter’s decision to pay a ransom, I propose enactment of the following offence via amendment to the Criminal Code Act 1995 (Cth):

Source: Author. The definition of ‘ransomware payment’ is drawn from that contained in proposed section 4 of the Bill. The definition of ‘officer’ is drawn from that contained in section 9 of the Corporations Act 2001 (Cth).

Hence, all forthcoming references by this article to prosecution for money laundering will be to the:

existing money laundering offences; and
in the event those offences are held to not apply to the relevant conduct of the officers of victim entities — proposed section 400.8A.

Report the Payments

Another form of targeting, which has gained a bit of press attention here in Australia at least, is requiring victim entities to report the payment of ransoms to the government. Opposition MP, Tim Watts, introduced the Ransomware Payments Bill 2021 (Cth) (‘the Bill’) in the Commonwealth House of Representatives on 21 June 2021.

If enacted, the Bill will mandate the reporting of payments to the ACSC in writing ‘as soon as practicable’ after they are made. In addition to the payment, per proposed section 8(2), the entity must report the ‘identity of the attacker, or what information the entity knows about the identity of the attacker’ as well as details about the actual attack, including any indicators of compromise known to the victim entity.

This arguably has similar motivations to the AMLCTF approach, in providing threat intelligence to law enforcement agencies to develop richer profiles of ransomware groups. The reporting of ransom payments can inform subsequent attribution of malicious cyber activity to the latter and thus law enforcement action against their members, finances and technical infrastructure.

Note that, if the victim entity is a listed company, it would arguably have to disclose to the market its shares are listed on that it has paid a ransom, whether or not the Bill is passed. This is because of continuous disclosure obligations — in Australia, per Corporations Act 2001 (Cth) ch 6CA and the ASX Listing Rules ch 3.

After all, the fact of the ransom payment, unless disclosed to the market operator, would not be ‘generally available’ (per Corporations Act 2001 (Cth) s 674(2)(c)(i)).

Said fact would also be ‘information that a reasonable person would expect, if it were generally available, to have a material effect on the price or value of [the company’s shares]’ (per Corporations Act 2001 (Cth) s 674(2)(c)(ii)). The company has just provided a criminal entity with the instruments of crime. It has also admitted by this conduct that it has assured its cyber and operational resilience so poorly that it is reduced to gambling on a criminal keeping a ‘promise’ to provide decryption keys after the company pays the ransom.

Given the importance of organisational cyber resilience to the very viability of enterprises these days, it is arguable that such factors (to quote the Corporations Act 2001 (Cth) s 677) ‘would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of’ of the company’s shares.

Now, there is already plenty of literature on the AMLCTF response to the ransomware issue (my own Hons thesis was on AMLCTF law applied to virtual asset ecosystems). These laws have been on the books, at least in Australia, for a few years now. I would like to focus on the ‘prosecute the officers’ and ‘report the payments’ approaches. I will argue in favour of the former over the latter.

Prosecute the Officers Already

Symbolism

I consider that prosecuting the officers involved in the decision to pay the ransom for a crime of the gravity of money laundering would carry great symbolic weight and act as a deterrent. There is a reason the Commonwealth money laundering offences are contained in Chapter 10 (‘National Infrastructure’) of the Criminal Code Act 1995 (Cth): money laundering is a major enabler of serious and organised crime, which is itself a threat to national security.

Laundering of ransom payments is a major driver for the operations of cybercrime groups that populate ransomware ecosystems. So much so that governments have been recommended by a cross-sectoral ransomware task force to ‘disrupt the ransomware criminal enterprise by using established frameworks that have been applied successfully to disrupt the activities of the mafia and other criminal organizations’. European agencies have observed organised ransomware groups to cooperate in the laundering of criminal proceeds, so critical is money laundering to these groups’ very existence.

So why would one want to help strengthen said existence rather directly by providing the instruments of crime necessary to fund it? This is the message prosecution will send.

Long-Term Impacts on Defendants

I consider that the outcome of a successful prosecution — especially the creation of, or addition to, the defendant’s criminal record — will act as a major deterrent. In addition to the fine and/or prison sentence that are handed down, it is the longer term impact of that conviction and/or fine defendants which is important. It is something the prosecuted officers will carry with them, affecting their ability to get work elsewhere. It could even result in their automatic disqualification from acting as officers of companies, per Corporations Act 2001 (Cth) s 206B (see below image).

Liability, and long-term effects thereof, for people is critical to the deterrent against payment of ransoms because it will force the officers of victim entities to think twice. After all, victim entities do not make decisions in and of themselves: their human officers do. We need to target the latter’s decision making and their incentive structures.

Especially when that decision making can open or close the source of a large part of ransomware ecosystems’ finances, namely ransom payments.

Nah, Just Report the Payments

It could be argued, however, that the ‘report the payments’ approach is preferable to the ‘prosecute the officers’ approach.

Avoid Unfair Targeting of People

Mandating the reporting of ransom payments by the victim entity — with a civil penalty imposed on the latter if it breaches the reporting obligation (in the case of the Bill) — can be preferable because it lacks the unfair targeting of officers who may feel they have little choice but to pay the ransom. Prosecution for money laundering can represent a heavy-handed approach focused on retribution against the victim entity itself. The ‘report the payment’ approach can be viewed as more constructive policy because it focuses on helping authorities take action against the actual perpretators of the attack, rather than (at least ostensibly) victim-shaming.

This is arguably why, in his second-reading speech for the Bill, Tim Watts MP praises the notification of payments as providing actionable threat intelligence to the ACSC and partner agencies, which can be used to inform counter-ransomware operations. Proposed section 9 from the Bill empowers the ACSC to use the report of a ransomware payment, once de-identified, to inform other parties, like law enforcement agencies and even the broader public, about the ‘current cyber threat environment’.

Even better, that the regimes for notification of ransom payments and linked information, and the sharing of this intelligence by the ACSC with other parties, would be enshrined in law if the Bill passes can provide vital legal certainty to all stakeholders in the fight against ransomware.

Prosecution Can Drive Payments Underground

A mandatory notification regime for ransom payments can be argued to carry less risk of driving ransom payments underground.

At least in the case of proposed section proposed 8(1) of the Bill, only the victim entity (and thus its shareholders) would bear the cost of a civil penalty for not reporting the payment. Yes, it is a hefty 1,000 penalty units ($210,000 per the definition of penalty unit in Crimes Act 1914 (Cth) s 4AA), but officers are saddled neither with the direct burden of paying it nor a criminal record.

Moreover, proposed section 8(5) makes clear that the notification to the ACSC, its being made and ‘any information, document or thing obtained as a direct consequence of the giving of the notice’ are ‘[in]admissible in evidence against the individual [who made the notification] in criminal proceedings other than proceedings for an offence against section 137.1 or 137.2 of the Criminal Code that relates to this Act’. Hence, the officer who notified ACSC and made the call to pay the ransom would be free of the risk of being prosecuted for money laundering on the basis of said matters.

Surely, given these factors, the officers of the victim entity would be less likely to turn to more secret means, harder for authorities to monitor, of obtaining virtual assets and paying the ransom?

Public-Private Partnerships

In turn, a ‘report the payments’ approach is more synchronous with the policy imperative to strengthen public-private partnerships to fight cybercrime.

The ransomware threat requires a multistakeholder response, embodied in greater ‘operational collaboration to increase the scope, scale, pace, and efficacy of intelligence-driven takedowns and disruption of ransomware operations and the infrastructure and people that enable them’. The CyberPeace Institute points to the growth of public-private partnerships in incident response for the healthcare sector, for instance. An approach which strengthens such collaboration, itself a pillar of Australia’s Cyber Security Strategy, is to be welcomed. The ‘report the payments’ approach can be argued to safeguard such collaboration because it enshrines a form of intelligence sharing, rather than victim-shaming (as above), in law.

To continue the example of hospitals, IT staffers should be looking more to share indicators of compromise with agencies like the ACSC (a requirement per proposed section 8(2)(c)(iii) of the Bill) to help drive effective incident response, rather than adopting a more stand-offish approach due to fear of prosecution for paying ransoms to get their systems back online. Little wonder that a cross-sectoral ransomware task force endorsed the implementation of a reporting regime for ransomware payments.

Prosecution Is Still Better

I prefer, however, a ‘prosecute the officers’ approach over a mandatory reporting regime.

Cut the Problem at its Source: People

Yes, the ‘prosecute the officers’ approach can be considered to be rather heavy-handed on officers who make the decision to pay the ransom. Yes, it can be considered to focus on victims and not the perpetrators.

But I consider that criticism to be rather narrow-minded. This is because it overlooks the importance of stopping the virtual asset supply fuelling the ransomware threat at its source: the officers of victim entities who reckon paying ransoms is okay. As Tim Watts MP himself said when introducing the Bill:

Ransoms should not be paid.
Ever…
What [paying ransoms] does do is provide further resources to the criminal organisations mounting these attacks and create an incentive for them to carry out more attacks…
Mandating reporting of ransomware payments is far from a silver bullet for this national security problem…

Prosecution of the payment of ransoms as money laundering will send a clear message to all stakeholders. By creating legal risk for the actual people who make the call to pay ransoms, prosecution will create a deterrent against the making of that call. Cutting off a major source of funds for ransomware affiliates and the broader ecosystems they populate.

Conversely, there is a risk that (larger) victim entities will treat the $210,000 civil penalty under proposed section 8(1) of the Bill as merely a cost for preserving their reputation in the shorter term by keeping their ransom payment secret; that is, until the penalty is handed down or a third party does basic blockchain forensics. Ashtray money for listed entities compared to the perceived costs of system downtime, which their officers may consider worth paying the ransom to rectify.

Prosecution will send a far stronger signal against paying the ransom. Certainly since the risk of prosecution targets the psychology of the decision makers at victim entities: their officers. And, last time I checked, humans are self-interested creatures. This is all the more necessary, given the importance of all stakeholders making it clear via their actions — not mere press releases or quotes to the Australian Financial Review — that they will not pay ransoms in order to reduce the appetite for ransomware affiliates to launch attacks in the first place.

Blockchain Forensics Are a Thing, Y’All

The argument about the risk of prosecution driving ransom payments underground is peculiar when virtual assets that ransoms are demanded in tend to exist on public blockchains. These blockchains enable granular forensics that can be conducted by anyone with an Internet connection, especially when the virtual asset in question is Bitcoin. Civvies like us, as well as government agencies, can purchase sophisticated forensics solutions that enable the identification of ransom payments, the wallets they are transferred to and, potentially, the beneficial owner thereof.

So it is unclear how a ‘prosecute the officers’ approach will necessarily:

drive victim entities and their officers ‘underground’, that is, to means of payment that governments apparently cannot monitor; and thus
undermine the policy response to ransomware.

Victim entity’s ransom transactions will be visible to all, including prosecutors. The specificity of the data available to the latter is evident in the case study provided by Chainalysis on how authorities followed the bitcoins to disrupt the NetWalker ransomware strain.

The authorities can use such data and forensics solutions to identify, and track the laundering of, ransom payments in the first place, rather than having to rely on compliance with a mandatory reporting regime by victim entities to plug a gap in their financial intelligence on the ransomware threat.

Poor Cyber Resilience Is Not an Excuse

Perhaps most importantly, criticism that the ‘prosecute the officers’ approach ignores the context of individual payers is narrow. Yes, the officers of victim entities may feel that they lack any choice beyond paying the ransom in order to get their computer infrastructure back online. But that arguably misses the point, which is having risk-based cyber resilience strategies in place.

If organisations are able to minimise the chances of their getting breached, that goes a long way towards avoidance of the hopeless position where they feel they have to cough up a ransom. Per the ACSC, if organisations ‘make regular backups offline and secure important and sensitive information[, they] effectively remove the need to pay ransom demands’. Organisations must focus on making themselves truly cyber resilient, able to ‘operate during, and to adapt and recover, from [a breach of cyber resilience]’.

The sort of reporting regime proposed by the Bill on its own is thus of little use because it does not penalise the payment of ransoms in the first place and thus does not represent a strong enough incentive for organisations to avoid being in said hopeless position, namely a catastrophic failure of cyber resilience. Unlike the risk of prosecution of the officers of the victim entity, who make the call that the latter pay up, for money laundering, the financial penalty borne by, in effect, the shareholders of the victim entity for breach of a reporting regime will carry little deterrent against paying up in the first place. Criminal liability of the officers would work in conjunction with their liability — under Corporations Act 2001 (Cth) pt 2D.1 and under the general law — for breach of officers’ duties attracted by a catastrophic failure of cyber resilience.

Prosecution for money laundering of the victim entity’s officers will also add teeth to the advice that paying ransom is futile for victims because it ‘does not guarantee decryption of data’. There have been many cases where the payment of ransoms has not been followed by the promised decryption of victims’ data or was followed by another breach by the same attacker. Victim entities will follow that advice more readily, given the personal criminal liability of their stewards for doing otherwise.

One should also note that a prosecution-based approach is not an island. It would be complemented by existing policies to strengthen organisational cyber resilience, particularly that of SMEs. Large businesses and governments have a role to play in providing advice and tooling to help smaller entities minimise the chance of their victimisation by cybercriminals, a matter acknowledged, for instance, by Australia’s Cyber Security Strategy. Little wonder the Commonwealth plans to invest more in Joint Cyber Security Centres in Sydney, Melbourne, Brisbane, Perth and Adelaide, and practising of incident response procedures with the private sector.

Note that issues like duress applied against the victim entity by the ransomware affiliate and the nature of the victim entity (like a hospital wanting to keep patient care running) will be taken into account via prosecutorial discretion. I’ll leave the finer details of exemptions from prosecution, and how prosecutorial discretion in the ransomware context should be guided, to be explored by people more knowledgeable than I.

Prosecution Strengthens Public-Private Partnerships

The ‘prosecute the officers’ approach will strengthen public-private partnerships in the fight against ransomware. All stakeholders are aware that ransom payments must not be made. As the ACSC makes clear, ‘the likelihood that an Australian organisations will be retargeted increases with every successful ransom payment’. Tim Watts condemned ransom payments when introducing the Bill, as above.

Since public-private partnerships seek to counter ransomware, it is unclear how the state’s failure to directly penalise the paying of ransoms, and the corporate officers involved therein, would strengthen said partnerships. To the contrary, failure to take action against the officers will encourage a Sisyphean situation: stakeholders come together with an aim to make ransomware history, only to see ransomware ecosystems flourishing because the latter are still obtaining ransoms. How is the payment of ransoms in the spirit of the fight against ransomware? It is roughly the equivalent of businesses in regional Australia selling precursor chemicals to the criminals who manufacture the very methamphetamine devastating the communities those businesses operate in.

That the payment of ransoms is left unpenalised also undermines the spirit of public-private partnerships because victim entities that do not pay may regard those that do pay as gaining some competitive advantage by doing the wrong thing, assuming the ransomware affiliate promptly hands over decryption keys after the payment is made. The victim entities who do not pay will also consider the state to have abandoned its role as a regulator, undermining the trust and relationship between the private sector and the state. The very bedrock of partnerships in the first place.

And, of course, governments should work to ensure that victim entities are adequately supported, financially and technically, in getting their systems back online. An example of support mechanisms is the Cyber Response and Recovery Fund which has been proposed in the US Senate under the Assessing a Cyber State of Distress Act of 2020. Such a fund will be useful because it could:

help cover business continuity and remediation costs for organizations attacked with ransomware; establish rapid response teams to assist life-line organizations (such as hospitals) to restore functionality quickly; and provide liability protection for business interruptions caused by refusing to pay ransoms.

These are tangible benefits that help victims recover from an attack and reduce the chance that they turn to paying ransoms in an attempt to ‘fast-track’ said recovery. Recovery assistance packages will form the ‘carrot’ to get entities to not pay the ransom, while prosecution for money laundering will form the ‘stick’. Recovery assistance policies should be brought in alongside the implementation of the ‘prosecute the officers’ approach to minimise the chance of victim entities, or stakeholders more generally, feeling that the state has left them to fend for themselves.

One should also note that criticism of the ‘prosecute the officers’ approach as undermining public-private partnerships due to being a black-letter law approach ignores the fact that mandatory reporting regimes, such as that under the Bill, are black-letter law approaches themselves. That too, backed by (in the Bill’s case) a hefty civil penalty for non-compliance. To reiterate, there is a risk that victim entities will treat the civil penalty under proposed section 8(1) of the Bill as a mere cost of doing business to be borne by shareholders in exchange for temporary (perceived) secrecy of the ransom payment. That can reduce the utility of the reporting regime as a counter-ransomware tool. Merely another reporting obligation which can be ignored when the finances of the victim entity are good enough. If the victim entity is a listed company and would have to disclose the payment under continuous disclosure laws (as above), they may even thumb their nose (figuratively speaking) at a ‘pointless, duplicative compliance obligation’ created under the Bill should it pass.

To the contrary, prosecution of the officers of the victim entity who are involved in the decision to pay the ransom in the first place cannot be shifted to shareholders: it is a cost borne by the decision makers alone. It will force them to think again before causing the victim entity to pay off a cybercriminal.

Conclusion

In this article, I probed a few questions surrounding the ransomware threat. I focused on the issue of ransom payments, critically evaluating whether governments should adopt a ‘prosecute the officers’ or a ‘report the payments’ approach. I argued in favour of the former when used in conjunction with policies to strengthen the cyber resilience of potential ransomware victims and help victim entities recover from ransomware attacks. In doing so, I proposed enactment of section 400.8A by amendment to the Criminal Code Act 1995 (Cth) if existing money laundering offences are held to not apply to the involvement of officers of a victim entity in the latter’s decision to pay a ransom.

Please note that I am by no means an expert. I do not claim to have covered the field on this area of counter-ransomware policy and lack the experience of cyber resilience practitioners and policymakers in dealing with ransomware. My positions may sound provocative, but I deliberately picked a side here to stimulate discussion that can educate me on how counter-ransomware policy should be designed. Hence, any feedback on this article will be greatly appreciated!