• Menu
  • Skip to right header navigation
  • Skip to primary navigation
  • Skip to secondary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Before Header

Call us now  07 4688 2188

  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

Clifford Gouldson Lawyers

  • About
    • Our Origin Story
    • Our Future
    • Toowoomba
    • Brisbane
    • Sunshine Coast
    • What our clients say!
  • Careers
  • Supporting our Community
    • Bringing art to the business world
  • Contact Us
  • Search
  • About
    • Our Origin Story
    • Our Future
    • Toowoomba
    • Brisbane
    • Sunshine Coast
    • What our clients say!
  • Careers
  • Supporting our Community
    • Bringing art to the business world
  • Contact Us
  • Search

Mobile Menu

  • Our Team
  • Practice Areas
  • Knowledge
  • Events
  • Industries
  • For Individuals
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
  • Our Team
  • Practice Areas
  • Knowledge
  • Events
  • Industries
  • For Individuals

The Criminalisation of Ransomware Payments

You are here: Home / News / The Criminalisation of Ransomware Payments

In late 2022, the Australian government announced it was considering new laws to make it illegal for companies to pay ransoms to cyber criminals1, and that it would increase penalties for data breaches. The announcement came after a series of high-profile cyber attacks in Australia in 2022. 

Imagine a world where a business in Australia who chooses to pay a ransom so they can continue working, is then facing fines or penalties for making that payment.

Cyber security experts welcome these announcements as a possible further step towards fortifying Australia’s cyber security protections, reflecting what has been happening in the international community.

Business groups in Australia have expressed concern about the possible reforms.

If reforms proceed, will any ban on ransom payments be implemented through civil or criminal law? 

Will organisations who make ransom payments face civil penalties or criminal sanctions?

What options might exist for the ban?

At this stage, certain US states, including New York and Hawaii, have introduced bills prohibiting governmental, business and healthcare entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack, with a civil penalty of up to US$10,000 imposed for any violation of the ban.

New York proposes to amend the state’s technology law to include the ban, whilst Hawaii proposes to amend Chapter 128A of its Homeland Security, Hawaii Revised Statutes.

Whether civil penalties will be effective in deterring ransom payments is uncertain. If business survival is at stake, it may remain in the interests of the business to pay the ransom and simply absorb the civil penalty.

Alternatively, governments may decide to criminalise the payment of ransoms through corporate criminal law, making it an offence to pay a cyber ransom. This would mean a company is criminally liable, and directors and officers personally liable, if the corporation commits the offence. The likely deterrence effect of a criminal consequence to paying a ransom may be more effective than a civil remedy.

Many believe strongly that criminalising ransom payments will fail to discourage cyber crime at all.  A ban on extortion cover in insurance policies has provided little deterrence to cybercriminals. 

Is it about financial gains?

Criminalising ransom payments is hoped to reduce the number and severity of cyber attacks by reducing the financial incentives for criminals through a reduction in the number of companies paying ransom payments due to the risk of committing an offence.

However, motivating forces for cyber criminals extend beyond financial gain. There are other forces at play including ideological reasons, personal or professional revenge, or the thrill of the hack.

How creative are Cyber Criminals?

Financial gain is obviously a main driving force behind cyber attacks, but if the criminalisation of ransom payments occurs, how creative might cyber criminals be in finding ways around the regime? Cybercriminals have proven themselves to be resilient, motivated and creative in identifying new opportunities.

For Example, in 2019, Microsoft claimed that multi-factor authentication (MFA) can prevent over 99.9% of account compromise attacks3 and yet in 2022 cyber criminals escalated attacks on MFA methods globally, launching MFA bypass attacks to compromise accounts.4

Reports now exist to suggest that cybercriminals are already prepared to cloak payments for ransom attacks as legitimate cyber security services delivered post-attack, and uncovering evidence of the attack may prove difficult when companies are motivated by survival.

Are ransom payments reducing?

A 2022 research report found that fewer companies paid extortion payments to cyber criminals in 2022 than in both 2021 and 2020.5

In the findings published by Chainalysis Inc on 19 January 2023, ransom payments (which are almost always paid in cryptocurrency) fell to US$456.8 million in 2022 from US$765.6 million in 2021. The 40% drop was not attributed to attacks reducing, but much of the decline was due to victim organisations refusing to pay ransomware attackers.
The research from Chainalysis is supported by data from the cyber incident response company Coveware, which disclosed that the number of Coveware’s clients that have paid a ransom after an attack has steadily decreased since 2019, from 76% to 41% in 2022, according to Chainalysis’s research.

There are a few reasons for this:

  1. Cyber attack resistance and resilience of organisations is improving.
  2. Legal risks associated with ransom payments is increasing, both in Australia and in other jurisdictions like the US, UK and EU. Laws including anti-money laundering and counter-terrorism laws provide greater complexity to a ransom payment than previously understood. 
  3. Reputational ramifications for an organisation that is publicly known to have paid a ransom.
  4. Awareness of the Australian government’s position to never pay a ransom is becoming more widely known.
  5. The Australian Cyber Security Centre (ACSC), and the Office of the Australian Information Commissioner (OAIC) if it involves a data breach, have increased public-private collaboration, which often results in a contractual or relational discouragement of ransom payments.

The number and frequency of cyber attacks continue to grow. Today, ransomware remains one of the top threats to organisations, and cybercrime is costing the Australian economy an estimated AUD42 billion annually.6

Should victims be punished?

If victims of a cyber attack were punished (whether civilly or criminally) would that be contrary to the very foundation of the justice system in Australia?

Criminal law seeks to identify and punish criminals for the protection of society – the greater good. The offending conduct here surely is the demand for a ransom payment (ie. cyber crime) and there are laws in place already (sanctions laws, anti-money laundering laws, and counter-terrorism laws) that should be sufficient to discourage the criminal conduct?

Laws imposing a risk of a civil fine or criminal prosecution on the party which paid the ransom would surely punish the victim of the crime and do nothing for the protection of society – the greater good. 

Perhaps the laws might differentiate between large organisations where failures to have in place proper accepted protocols to minimise cyber crimes from occurring, as opposed to less resourced and capable organisations who arguably simply didn’t have the resources to meet best practices around cyber security?  According to the Australian Small Business and Family Enterprise Ombudsman, only 2.7% of businesses in Australia employ more than 20 employees. Perhaps a better focus for the government than to punish victims of cyber attacks would be to invest in resources for the 97.3% of businesses in Australia who might struggle to enact or implement best practice cyber security protocols in their business?

Australia’s cyber resilience as a nation is improving, but small to medium enterprises might need a hand to get to where they need to be.

What does it mean for you?

Our Intellectual Property team regularly advises our clients on their contractual documents, policies, and assists guide responses to cyber-attacks and data breach incidents.

In our experience, advisors need to work together, collaboratively, to provide organisations with the best possible protocols and procedures to minimise cyber attacks, and the impact of any attacks on the future viability or survival of the business.

If you need support in this developing area of law, please reach out to our Intellectual Property and Start-up team for advice tailored to your situation.


1https://www.smh.com.au/politics/federal/we-will-hunt-them-down-o-neil-signals-more-action-on-medibank-hack-20221113-p5bxsi.html
2https://ministers.ag.gov.au/media-centre/joint-standing-operation-against-cyber-criminal-syndicates-12-11-2022
3https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
4https://www.techtarget.com/searchsecurity/news/252525234/Cybercriminals-launching-more-MFA-bypass-attacks
4https://its.unc.edu/2022/10/20/mfa-bypass/
5Ransomware revenue down as more victims refuse to pay
6https://www.unsw.adfa.edu.au/newsroom/news/cybercrime-estimated-42-billion-cost-australian-economy


For further information please contact Ben Gouldson

Previous Post: « How do I choose the executor of my estate?
Next Post: Grand Opening And Art Exhibition For CGLaw’s New Home »

Primary Sidebar

We can help

Ben Gouldson

Managing Director and Trade Marks Attorney*

Melanie Sharpe

Lawyer

Nicola Hayden

Lawyer and Trade Marks Attorney*

Michelle Price

Senior Paralegal

Brooke Giblin

Legal Secretary & Personal Assistant

Related Alerts

June 25, 2025
Do you own those images?

Recently, our firm has seen an increase in correspondence from companies like Getty Images,...

June 20, 2025
Ransomware Reporting Obligation Changes Start Today!

As of today, a failure to report a ransomware payment could lead to your...

April 9, 2025
Yes, crypto currency is personal property!

The legal system has taken some time to come to grips with crypto currency,...

View other alerts

Footer

Clifford Gouldson Lawyers

CLIFFORD GOULDSON LAWYERS
P: 07 4688 2188
F: 07 4688 2199
mail@cglaw.com.au
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

Locations

TOOWOOMBA (Head Office)
259 Ruthven Street,
Toowoomba Q 4350

PO Box 8208,
Toowoomba South Q 4350

Toowoomba Office

BRISBANE
Level 5, 231 George Street,
Brisbane Q 4000

PO Box 12802 George Street,
Brisbane Q 4003

Brisbane Office

 

SUNSHINE COAST
Regatta Corporate Building, Office 3,
Ground Floor, Innovation Parkway,
Birtinya Q 4575

Locked Bag 5010
Caloundra DC Q 4551

Sunshine Coast Office

Practice Areas

  • Property + Business Transactions
  • Workplace
  • Litigation + Dispute Resolution
  • Intellectual Property + Technology
  • Wills, Estates, Planning + Structuring
  • Business + Corporate Advisory
  • Construction
  • Privacy & Disclaimer
  • Terms of Use

Site Footer

CG Law (Trading) Pty Ltd ACN 143 426 028 t/a Clifford Gouldson Lawyers ABN 89 143 426 028 Liability limited by a scheme approved under professional standards legislation.

The contents of this website are provided solely for general information purposes and do not constitute legal or other professional advice. Clifford Gouldson Lawyers expressly disclaims any liability arising from the use or reliance on the information provided. If you require legal or other expert advice or assistance, then you should seek our help or the services of a qualified professional.

Copyright © 2025 Clifford Gouldson Lawyers · Privacy & Disclaimer · Terms of Use · Marketing by John Gray Marketing · Site by Kingfisher