Australian organisations are seen as soft and lucrative targets for ransomware attacks, according to cybersecurity experts who warn the problem will get worse unless the Morrison government fills the “current policy vacuum”.

A report published on Tuesday cites a raft of attacks over the past 18 months, including one that brought Nine Entertainment “to its knees” in March and left it struggling to televise news bulletins and produce newspapers.

Other victims include logistics company Toll Holdings, numerous health and aged-care providers, and the global meat producer JBS Foods, whose Australian operations were affected.

But experts from the Cyber Security Cooperative Research Centre say the legality of Australian companies paying ransoms to attackers is “murky at best” and most individuals would not know what to do if they fell victim to a ransomware attack.

The government needs to clarify the legality of ransomware payments and set up a mandatory reporting scheme, writes Rachael Falk, the chief executive of the cybersecurity research centre, and her colleague Anne-Louise Brown.

In ransomware attacks, cybercriminals typically look for vulnerabilities in organisations’ computer systems, before locking up, encrypting and extracting data so computers and their files are unusable.

Attackers then demand payment to decrypt and unlock systems and sometimes threaten to leak stolen data if the request is rebuffed. The ransoms are typically paid in difficult-to-trace cryptocurrencies.

“A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed,” Falk and Brown write in a policy brief for the Australian Strategic Policy Institute.

“Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets.

“The number of attacks will continue to grow unless urgent action is taken to reduce the incentives to target Australian companies and other entities.”

The policy brief says a nationally representative online survey of 1,000 Australian adults in April 2021 “painted an alarming picture of just how little the Australian public understands ransomware”.

The survey – commissioned by the Cyber Security CRC – found 77% of respondents said they would not know what to do if they fell victim to a ransomware attack.

When respondents were then given a set of options, 56% said they would contact the Australian Cyber Security Centre (ACSC), which is part of the Australian Signals Directorate.

The ACSC advises organisations not to make payments, arguing there “is no guarantee the cybercriminal will decrypt files” and the willingness to pay may make the organisation vulnerable to further attacks in the future.

But the policy brief says businesses grapple with the legal consequences of whether to pay and worry that every minute matters.

The policy brief says the Australian government should not criminalise the payment of ransoms.

Instead, it says, the government should adopt a mandatory reporting regime. An organisation would face a legal obligation to report the nature and root cause of a ransomware attack to the ACSC within, for example, three weeks.

The “non-punitive” reporting scheme would apply regardless of whether a payment was made and should preserve the confidentiality of victims.

“It wouldn’t be about naming and shaming,” the policy brief says, arguing it would give the ACSC improved access to vital and timely intelligence.

The information would then be de-identified and released publicly to “help better inform other stakeholders on how to reduce vulnerabilities”.

The proposal comes amid calls from Labor to require Australian organisations to inform the ACSC before they make a ransomware payment to a criminal organisation.

Labor’s cybersecurity spokesperson, Tim Watts, said last week the government needed to act because ransomware was “completely out of control in 2021”.

Tuesday’s report makes eight recommendations including a proposal for the ACSC to publish a list of ransomware threat actors and aliases, together with details of their modus operandi and key target sectors and suggested methods to reduce the risk of falling victim.

It’s also suggested that the federal government use its procurement programs to prod businesses to improve their practices. Minimum cybersecurity standards would be imposed on contractors that wished to supply goods and services to the government.

The paper proposes a nationwide public ransomware education campaign to highlight the key causes of vulnerabilities.

It says that effort should be backed by a business-focused campaign to encourage organisations to improve their “basic cybersecurity and cyber hygiene”.

The director general of the ASD, Rachel Noble, told Senate estimates last month the agency was able to alert two other organisations they were targeted by the same ransomware attackers who crippled Nine Entertainment thanks to the agency’s “classified” powers.

Currently, the ACSC does not report how many ransomware incidents it knows have affected Australian organisations and individuals, but it said last year the number was increasing.

The top-five sectors to report ransomware incidents to the ACSC in 2019-20 were health; state and territory government agencies; education and research; transport; and retail.