Breaking Down The Ermakov Sanctions: What You Need To Know About The Unprecedented Cybersecurity Measures

On 23 January 2024, the Australian government imposed autonomous sanctions against Aleksandr Ermakov (Ermakov), a Russian national implicated in the October 2022 Medibank Private data breach.

Introduction

This is the first time the Minister for Foreign Affairs has exercised the thematic sanctions powers under the Autonomous Sanctions Act 2011 (Cth) (the Autonomous Sanctions Regime) to designate and declare a person in relation to a “significant cyber incident.”

In this article, we discuss the background of the Australian government’s strategic move and consider what the use of thematic sanctions powers means for future cyber incidents.

The Ermakov Investigations

In October 2022, one of Australia’s largest and most significant ransomware attacks– the Medibank data breach – saw 9.7 million customer records stolen and later published on the dark web. The records included customer names, dates of birth, Medicare numbers and sensitive medical information.

A joint investigation into the breach by the Australian Signals Directorate, the Australian Federal Police, and other Commonwealth agencies and international partners linked the Medibank data breach incident to Ermakov. Ermakov is the alleged ringleader of the Russian ransomware gang “REvil” who is known under the aliases “GustaveDore”, “aiiis_ermak”, “blade_runner” and “JimJones”.

On 23 January 2024, the Minister for Foreign Affairs, designated and declared Ermakov a sanctioned person using the thematic sanctions powers under the Autonomous Sanctions Regime.

What Are Thematic Sanctions?

Thematic sanctions are a sub-set of autonomous sanctions. Autonomous sanctions are imposed by the Australian Government as a matter of foreign policy to address situations of domestic of international concern and typically target a particular country or issue, such as counter-terrorism. These sanctions are in addition to sanctions imposed by the international community by way of a resolution of the United Nations Security Council. 
In addition to country-specific sanctions and counter-terrorism sanctions, the Autonomous Sanctions Act 2011 (Cth) was amended in December 2021 (by way of the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Act 2021 (Cth)) to enable the Australian government to impose thematic sanctions.

These thematic sanctions empower the Minister of Foreign Affairs to designate a person or entity related to the following circumstances:

• causing, assisting, or being complicit in a significant cyber incident or an attempted significant cyber incident;
   
• engaging in, being responsible for, or being complicit in serious violations or serious abuses of human rights (including the right to life, the right to be free from torture or cruel, inhumane or degrading treatment or punishment and the right to be free from slavery);
   
• engaging in, being responsible for, or being complicit in a serious act of corruption;
   
• being an immediate family member of a person who has been listed under the human rights or corruption listing criteria; and
   
• obtaining a benefit as a result of another’s act, being an act for which that other person or entity has been listed under the human rights or corruption listing criteria.

Where an individual or entity is designated under the autonomous sanctions regime, they may face financial sanctions and/or a travel ban.

Prior to making a thematic-sanctions listing decision, the Minister for Foreign Affairs must obtain the agreement of the Attorney-General and consult with any other relevant ministers. Since 2021, the Australian government has primarily used thematic sanctions to target Russian and Iranian individuals and entities responsible for serious corruption or human rights abuses.

What Are The Effects Of The Thematic Sanctions Against Erkamov?

The autonomous sanctions imposed against Ermakov means that it is an offence for an individual or entity to directly (or indirectly) make assets available to, or for the benefit of, Ermakov without authorisation. He is also subject to a travel ban which prevents him from travelling to, or via, Australia.

An individual who breaches autonomous sanctions, can be imprisoned for up to 10 years, fined.  The current fine is the greater of 2,500 penalty units (A$782,500 as of 1 July 2023) or three times the value of any impugned transactions.

A body corporate that fails to comply with autonomous sanctions can be fined up to the greater of 10,000 penalty units ($3,130,000 as of 1 July 2023) or three times the value of any impugned transactions.

The autonomous sanctions also have extraterritorial application meaning that they apply to all Australian citizens and Australian-incorporated body corporates irrespective of where they engage in conduct.

An Unprecedented Step: Signalling A New Era Of Cybersecurity

The sanctions imposed against Ermakov are the first time that the Australian government has imposed thematic sanctions in respect of a “cyber incident”. This use of thematic sanctions in response to a cyber incident sends a strong message about Australia’s position in the international cybersecurity landscape.

The Ermakov sanctions also have the practical effect of reinforcing the government’s commitment to unmasking previously faceless criminals, consistent with its aspirations in the Australian Cybersecurity Strategy.

The Ermakov sanctions also serve as a reminder to businesses about the risk of engaging with cyber threat actors who demand ransomware payments.  As additional threat actors are made subject to autonomous sanctions there is a heightened risk that you may be engaging with a sanctioned person in making a ransom payment.

Australia Leads The Way

The initiative of the Australian Government in unmasking Ermakov and imposing cyber-related thematic powers, prompted various other governments to follow suit.

On 24 January 2024, the United States Treasury Department Office of Foreign Assets Control and the UK Office of Financial Sanctions Implementation announced that the United States and the United Kingdom respectively have imposed their own financial sanctions and travel bans against Ermakov.

The use of sanctions powers by governments across the world demonstrates the level of coordination between governments on cyber security and a coordinated approach may act as an increasing deterrent to other would-be perpetrators around the globe.

Implications For Victims Of Cyber Incidents

The exercise of “cyber incident” thematic sanctions has significant implications for organisations falling victim to a ransomware attack. The sanctions imposed on Ermakov essentially means that businesses considering making a ransomware payment need to be assured that they are not directly, or indirectly making funds available to Ermakov.

However, there is no way to conclusively determine who a ransomware payment indirectly benefits. Due to the nature of cyber ransom payments and the use of cryptocurrency to facilitate payment to often unknown actors, it is a continual challenge to determine whether a payment is for the benefit of a designated person or entity.

“Ransomware as a Service” (RaaS) business models that are widely used by criminal groups exacerbate this issue, as threat actor groups are commonly interconnected and assume a variety of names. Therefore, making a ransom payment ultimately carries the risks of indirectly making assets available to Ermakov. However, given the international action which has followed Australia’s use of its sanctions powers, it is considered unlikely – at least in the near future – that criminal groups will continue to associate with Ermakov.

Body corporates must tread carefully when considering the risks of a ransomware payment, especially when navigating their approach to due diligence. Individual directors also need to be mindful of their director’s duties and potential personal liability.

If Australia’s use of its sanctions powers against cyber threat actors results in a reluctance by businesses to make ransonware payments, this may result in Australia being viewed by cyber criminals as an unfavourable victim market. Australian businesses may be less likely to pay a ransom due to heightened risks of criminal liability for directly or indirectly making assets available to a designated person.

By making it less likely that victims will pay their demands, this reduces the incentive for threat actor groups to target Australia. This aligns with the government’s commitment in the 2023-2030 Australian Cyber Security Strategy by reinforcing their stance against ransomware payments – ultimately disrupting and deterring cybercrime from Australia.

How Can Clyde & Co Help?

Clyde & Co’s Corporate Regulatory Team is a recognised market leader in advising on Australia’s sanctions regime. We provide sanctions advice across business areas affecting financial services, cyber and international trade, including the commodities, shipping, insurance and transportation sectors. We have significant experience advising on business compliance measures to manage sanctions risks, including due diligence processes, internal risk-based sanctions policies, know your customer screening, commercial arrangements and corporate governance considerations. The team also regularly co-ordinates with Clyde & Co’s US, UK and other sanctions teams on the global sanctions risks impacting our clients.

Clyde & Co’s Cyber, Privacy and Technology Team has specialised expertise across the privacy, cyber, financial services and broader technology practice areas. It also houses the largest dedicated privacy and cyber incident response practice across Australia and New Zealand. The firm's tech, cyber and privacy practice provides end-to-end risk management solutions for clients. From advice and strategy regarding transactions, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, recoveries, and third-party claims the team offer practical, solutions-focussed assistance and advice.

For more information, please contact: 

1. Alec Christie, John Moran, Reece Corbett-Wilkins, Richard Berkahn, Stefanie Luhrs, Chris McLaughlin (Cyber, Privacy and Technology).
2. Avryl Lattin, Matt Ellis and Liam Hennessy (Corporate Regulatory).

[1] Abigail Bradshaw, Head of the Australian Cyber Security Centre - Press Conference, Canberra | Defence Ministers