Jaco Benadie
PETALING JAYA: Ransomware crimes are challenging to track because there is presently no regulatory mandate for Malaysian companies to report cyber incidents and hence, there is a need for more legal impetus to combat these ransomware attacks.
KPMG highlighted this recently, pointed out that cyber criminals have capitalised on the disruption caused by the Covid-19 pandemic, with ransomware being a common modus operandi.
Recent international cyberattacks on healthcare systems, national gas pipelines and water supplies show a ruthless drive for profit at the expense of human lives. One of the reasons behind the growing brazenness is due to the lack of legal ramifications against these types of attacks.
“Cyberattacks are no longer just a business issue but have become a threat to national security. The problem with cyberattacks such as ransomware is that these are essentially ‘borderless’ crimes.
“Most of these criminals cannot be held accountable for their actions if they are based in a different country from where the crime is committed without any law enforcement collaboration agreements in place,” said KPMG in Malaysia head of Cyber Jaco Benadie.
“Last year, 41 per cent of organisations worldwide reported experiencing increased incidents of ransomware attacks while employees were working remotely.
“Cyber criminals have profited upwards of US$350 million in 2020, an increase of 311 per cent from 2019, from ransomware.
“These incidents will likely proliferate if there is no concentrated effort between local and international diplomatic and law enforcement authorities to proactively combat ransomware,” he added.
Jaco explained that ransomware crimes are challenging to track because there is presently no regulatory mandate for Malaysian companies to report cyber incidents. Furthermore, with ransoms requested and paid for using cryptocurrencies, the crime can be perpetuated with little to no trace to the criminals, hence the lack of prosecutions.
“Organisations at the mercy of criminals may also not be willing to disclose that they have been victims of cyberattacks or ransomware lest they risk reputational damage, indicating that cyberattack figures may be significantly higher than reported.
“The Malaysian government can play a pivotal role to engender confidence among businesses that there are adequate support mechanisms to help victims with no resources to protect themselves,” said Jaco.
One approach can be to establish a national framework to help businesses prepare for and respond to ransomware attacks. There have been discussions in other jurisdictions about the feasibility of mandatory reporting of ransom payments or making it illegal, but this approach comes with its own pros and cons. The government can also introduce stricter cryptocurrency regulations to ensure cryptocurrency exchanges are better regulated including KYC, AML and CFT laws and make it more difficult for criminals to launder ransomware proceeds.
“The Malaysian government has taken positive steps forward in the fight against ransomware with the setting up of a special task force to identify and study cyber security issues for the purpose of enacting relevant laws as part of the Malaysia Cyber Security Strategy (MCSS). While a good start, more can be done. Ransomware attacks are first and foremost profit-motivated crimes, hence a stringent approach is required to cull emboldened criminals from further callous attacks,” Jaco advised.
However, this is a massive undertaking that will require time. In the meantime, businesses must consider taking measures to stay on top of the threat.
The changing shape of ransomware, a latest report by KPMG International, notes that the massive shift to remote working presented opportunities and network vulnerabilities for criminals to exploit via phishing or remote access attacks.
Businesses need to ensure that they have both proactive and reactive steps in place to reduce impact and minimise business disruption.