Non-human hostage taking: a comparative analysis between kidnap for ransom & ransomware

This thesis examines how the state in addition to regulatory bodies, insurance companies and corporations are responding to ransomware. An analysis of the role of insurance and legislation in regulating the market for ransoms through research into the kidnap and ransom (human hostage taking) market was conducted. I will argue that Kidnap and Ransom markets (K&R) have been found to be intrinsically linked to insurance companies, with insurance companies expanding their services and areas of operation to fill governance vacuums. I examine how insurers and victims as much as government policy shaped the actions of hostage takers and now, as this thesis will put forward, ransomware gangs. Ransomware has been flagged as a key area of national concern with a specific ‘action plan’ and for the first time dedicated a minister to cyber security in Australia (2022). A review of current and proposed Australian legislation that has applicability to ransomware was undertaken. Different governance approaches are also discussed from a legislative lens. I argue that despite some ‘tough on ransomware’ rhetoric legislators and prosecutors are so far unwilling to legislate and prosecute against people who pay ransoms, this also occurred in offshore hostage taking. However, a pattern has emerged where the government is beginning to punish companies in certain regulated industries that have or could become victims due to a lack of cyber security controls, the first court test case is examined as an example. Additionally, despite ransomware being a serious crime I argue that the offenders are not always as aggressive in pursuit of their goals as traditional extortion-based crimes. I will discuss how ransomware is also more scalable than other forms of extortion and has the potential to become a larger crisis and even uninsurable, this could further increase the burden on the state.