KUALA LUMPUR: When it comes to paying a ransom, Cybersecurity Malaysia chief executive officer Datuk Dr Amirudin Abdul Wahab is urging companies hit by ransomware in Malaysia to say ‘No’.

“We will always say ‘No’. It’s not right for the organisations to pay because it will incentivise the attackers. So any time there is a ransom involved, don't pay. We encourage them to seek assistance from authorities whenever possible,” he said to LifestyleTech at the Cyber Security Asia 2023 event in KL today (June 19).

Ransomware is a type of malicious computer software used by cyberattackers to block access to an online system such as a database or application until a fee has been paid by the victim.

Amirudin said the Malaysia Computer Emergency Response Team (MyCert) under Cybersecurity Malaysia has recently issued an advisory on the MOVEit Transfer security flaw, which is being exploited by a ransomware gang to breach a number of companies around the world.

“When we put out an advisory, it sends out an alert that there is potentially going to be more of this attack here. We would like to minimise that possibility. We also want more people to understand that the threat is already here. We hope they will take the best practices from the advisory,” he said.

Last week, insurance companies Prudential Assurance Malaysia and Prudential BSN Takaful said that they have been affected by a ‘MOVEit cybersecurity incident’. Investigations are ongoing.

Amirudin said companies affected by any cybersecurity incidents are encouraged to seek technical assistance through the Cyber999 service under MyCert. They can call the hotline, file a report online or download the Cyber999 app.

“It is voluntary and we encourage reporting so we can provide assistance. We can guide those who reach out on how to manage and tackle the issue. Even if we can’t fully assist, we do have some international partners that will collaborate,” he said.

When asked if he is aware of any companies in Malaysia that have paid ransomware, Amirudin said: “Well, informally, I have heard that some may have paid (the ransomware) or may not. But it is the decision of the entities.”

On June 15, Prime Minister Datuk Seri Anwar Ibrahim said a cybersecurity bill will be drafted immediately to provide the National Cyber Security Committee (NACSA) with legal authority to regulate and enforce laws related to cybersecurity.

Amirudin hopes the bill will help to drive more enforcement measures as the lack of a cybersecurity act means some companies are still not taking critical measures to beef up online safety.

“To me what’s important is the preventive part. For example, I can’t force companies or critical sectors to do full security audits. We shouldn’t wait to act only when an incident has happened,” he said.