Thursday, 17 February 2022
Media release

Morrison government taking action against ransomware cybercriminals

​​​The Morrison Government has today put criminal law reforms to Parliament that will see tougher offences and tougher penalties introduced for all forms of cyber extortion.​​

​ These changes will ensure cybercriminals who use ransomware face an increased maximum penalty of 10 years’ imprisonment and criminals targeting Australia’s critical infrastructure will receive a maximum penalty of 25 years’ imprisonment. It will also disrupt and deter cybercriminals who engage in ransomware and cyber extortion activities targeting Australians and Australian businesses.

​ The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 is a key part of the Government’s Ransomware Action Plan, and will give law enforcement agencies the tools they need to pursue and prosecute ransomware gangs, and track, freeze and seize their illegally and dishonestly acquired gains.

​ Minister for Home Affairs Karen Andrews said the reforms are a firm response to the growing threat of malicious cyber attacks and send a clear message to individuals and organised crime groups seeking to do us harm.

​ “The Morrison Government is taking action to protect Australians against cyber criminals and their destructive and malicious ransomware,” Minister Andrews said.

​ “This Bill gives Australian law enforcement agencies the legal tools and capabilities they need to pursue and prosecute ransomware gangs and the pervasive threat of ransomware attacks on Australia and Australians.

​ “The Morrison Government will not tolerate attacks on Australia’s critical infrastructure, small businesses or targeting the most vulnerable members of our community. Cybercriminals use ransomware to do Australians real and long-lasting harm.”

​ Cybercriminals use ransomware because it is an effective means of exercising power over a victim. It allows cyber criminals to deny access to a device, system or data to extort ransom payments from victims, or on sell the victim’s data and engage in further extortion.

​ The Ransomware Action Plan was announced on 13 October 2021 and builds on measures being progressed through the Cyber Security Strategy 2020, a $1.67 billion investment over 10 years to build new cybersecurity and law enforcement capabilities to protect Australian businesses and communities.

​ The Action Plan focuses the Government’s resources to help Australians prepare for and prevent ransomware attacks, build strengthened response and recovery mechanisms, and disrupt and deter perpetrators from targeting Australia.

​ The Bill delivers on key aspects of the Ransomware Action Plan by:

  • introducing a new standalone offence for all forms of cyber extortion so that cybercriminals who use ransomware face an increased maximum penalty of 10 years’ imprisonment.
  • ​introducing a new aggravated offence for cybercriminals seeking to target critical infrastructure, recognising the significant impact on assets that deliver essential services with a maximum penalty of 25 years’ imprisonment.
  • introducing an aggravated offence for buying and selling malware for the purpose of committing a computer offence and dealing with stolen data, to halt the effectiveness of the ransomware business model with a maximum penalty of 10 years’ imprisonment.
  • ensuring that law enforcement can monitor and freeze cybercriminals’ ill-gotten gains by extending current powers that cover financial institutions to digital currency exchanges.
  • ensuring the powers available to law enforcement to seize digital assets (including cryptocurrency) reflect the operational environment and that proceeds of crime are available for restraint and forfeiture action under the Proceeds of Crime Act 2002.​

​The Ransomware Action Plan can be accessed here.