New legislation could punish ransomware attacks with up to 25 years in prison

Any hacking group could be sentenced to 25 years in prison for their cyberattack campaigns targeting critical infrastructure in Australia. Under the new local legislation, proposed in a recently announced bill, Australian authorities will also be able to investigate hacking groups operating from abroad and request their extradition, as well as being able to seize the physical and digital assets involved in the investigations.

In addition to these guidelines, the laws in force determine that among the new cybercrimes in Australia include the sale and theft of data, malware trafficking and other tasks related to cybercriminal hacking.

Another characteristic feature of the new regulatory framework is the establishment of a ransomware incident reporting system, whereby companies with profits above $10 million must forcibly notify if they are victims of ransomware attacks.

This legislation is part of the federal government’s attempt to create a ransomware-fighting scheme similar to that implemented by countries such as the United States. At the time of introducing the bill, Home Affairs Minister Karen Andrews mentioned that this is a “critical step” in trying to deter ransomware gangs, enabling a more effective police response and disrupting the attackers’ revenue stream.

If passed, this bill will allow law enforcement agencies to investigate and prosecute cybersecurity threats even overseas, as long as it is shown that the well-being of Australian citizens has been affected.

The legislation also includes a new statute to criminalize all forms of extortion in relation to a victim of a computer crime, regardless of the type of access or contact with the victim: “In this way, cybercriminal groups will be subject to responsibility even if they perform specific tasks and do not have direct contact with the victim,” adds the official.

This is undoubtedly an innovative legislation, which contemplates some of the most used hacking mechanisms today to seek that all variants of cyberattack can be considered punishable cybercriminal acts.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.