PETALING JAYA, 10 June 2021 – Cyber criminals have capitalized on the disruption caused by the COVID-19 pandemic, with ransomware being a common modus operandi. Recent international cyberattacks on healthcare systems, national gas pipelines and water supplies show a ruthless drive for profit at the expense of human lives. One of the reasons behind the growing brazenness is due to the lack of legal ramifications against these types of attacks.

“Cyberattacks are no longer just a business issue but have become a threat to national security. The problem with cyberattacks such as ransomware is that these are essentially ‘borderless’ crimes. Most of these criminals cannot be held accountable for their actions if they are based in a different country from where the crime is committed without any law enforcement collaboration agreements in place,” said Jaco Benadie, Head of Cyber at KPMG in Malaysia.

Last year, 41 percent of organizations worldwide reported experiencing increased incidents of ransomware attacks while employees were working remotely[1]. Cyber criminals have profited upwards of USD350M in 2020, an increase of 311% from 2019, from ransomware.[2] These incidents will likely proliferate if there is no concentrated effort between local and international diplomatic and law enforcement authorities to proactively combat ransomware,” he added.

Jaco explained that ransomware crimes are challenging to track because there is presently no regulatory mandate for Malaysian companies to report cyber incidents. Furthermore, with ransoms requested and paid for using cryptocurrencies, the crime can be perpetuated with little to no trace to the criminals, hence the lack of prosecutions.

“Organizations at the mercy of criminals may also not be willing to disclose that they have been victims of cyberattacks or ransomware lest they risk reputational damage, indicating that cyberattack figures may be significantly higher than reported. The Malaysian government can play a pivotal role to engender confidence among businesses that there are adequate support mechanisms to help victims with no resources to protect themselves,” said Jaco.

One approach can be to establish a national framework to help businesses prepare for and respond to ransomware attacks. There have been discussions in other jurisdictions about the feasibility of mandatory reporting of ransom payments or making it illegal, but this approach comes with its own pros and cons. The government can also introduce stricter cryptocurrency regulations to ensure cryptocurrency exchanges are better regulated including KYC, AML and CFT laws and make it more difficult for criminals to launder ransomware proceeds.

“The Malaysian government has taken positive steps forward in the fight against ransomware with the setting up of a special task force to identify and study cyber security issues for the purpose of enacting relevant laws as part of the Malaysia Cyber Security Strategy (MCSS).[3] While a good start, more can be done. Ransomware attacks are first and foremost profit-motivated crimes, hence a stringent approach is required to cull emboldened criminals from further callous attacks,” Jaco advised. 

However, this is a massive undertaking that will require time. In the meantime, businesses must consider taking measures to stay on top of the threat.

The changing shape of ransomware, a latest report by KPMG International, notes that the massive shift to remote working presented opportunities and network vulnerabilities for criminals to exploit via phishing or remote access attacks. Businesses need to ensure that they have both proactive and reactive steps in place to reduce impact and minimize business disruption.

Here are some steps businesses can consider:

  • Actions to take now: Assess the impact of system loss and prepare a response action plan. It is important that security awareness training and resources for post-COVID working are up to date and that their incident response capability and backups are prepared for any breaches in security.
  • Actions for the mid-term: Check any technology changes or remote working setups for vulnerabilities. They can also run an exercise or ‘get hacked’ as a way of testing their defenses and response.
  • Future trends and challenges: KPMG's 2021 CEO Outlook Pulse Survey found that majority of CEOs surveyed experienced sharp acceleration in the progress of digitizing their operations, business models and revenue streams during the pandemic and a vast majority plan to invest in technologies such as cloud and data security. Businesses should consider any potential increase in risks as adopting new technologies can add complexity to information flows and data protection. 

“Intelligent measures need to be implemented at all levels and for all sectors to combat ransomware strategically. It will certainly take time, effort and sustained investments to make any significant dent against ransomware. Government and public-private partnerships can go a long way to remove any safe haven for cybercriminals,” concluded Jaco.

To read the full report and for more insights, visit www.kpmg.com.my/cybersecurity