In 2025, Australia experienced a 67% surge in ransomware attacks. Average recovery costs for medium businesses hit AUD $97,000 per incident. One in three Australian businesses has now experienced multiple ransomware attempts and 38% of SMBs were targeted in FY2024–25 alone.
The Medibank breach. The MediSecure collapse. The 2025 superannuation fund attacks. These are not edge cases or overseas problems. They are Australian businesses, with Australian clients, facing consequences that in some cases ended the company entirely.
Yet ransomware is not unstoppable. The businesses that recover quickly or avoid incidents entirely share the same characteristics: they patch promptly, they enforce MFA, they maintain tested offline backups, and they have a documented incident response plan ready before an attack occurs. None of these are expensive or exotic controls. They are the ASD Essential Eight, applied consistently.
This guide covers everything an Australian business needs to know: how ransomware works, what the threat landscape looks like in 2026, how to build a layered prevention posture, what to do in the first hours of an attack, and what Australia’s new mandatory reporting law requires of your business. Whether you are starting from scratch or reviewing your existing controls, use this as your practical reference.
What is Ransomware ?
Ransomware is malicious software that encrypts your business files and demands payment typically in cryptocurrency to restore access. The attacker holds your data hostage until you pay, or until you recover from a clean backup.
In 2026, it has evolved well beyond simply locking files.
Single, Double, and Triple Extortion
Modern ransomware operates in two phases: encryption and exfiltration. Attackers steal your data before encrypting it, then threaten to publish it publicly if you refuse to pay this is double extortion. Some groups go further with triple extortion: contacting your clients directly, or launching DDoS attacks on your systems to increase pressure.
The Medibank breach of 2022 showed what this looks like at scale. Attackers encrypted and stole 9.7 million patient records, then published sensitive health data publicly after Medibank refused to pay. The reputational and legal fallout continues today and it started because MFA was not enforced on the VPN accounts used to gain access.
Ransomware rarely operates in isolation it arrives on the back of phishing, stolen credentials, or unpatched vulnerabilities. Understanding the full range of cybersecurity threats facing Australian businesses helps explain why defending one vector strengthens your posture across all of them.
Why Australian Businesses Are Targeted
Australia has a high GDP per capita, large healthcare and financial sectors, and strict data breach notification laws all of which increase the likelihood that victims will pay. The MediSecure breach in 2024 resulted in 12.9 million Australian records listed for sale at USD $50,000. The business subsequently entered administration.
How a Ransomware Attack Works: The 6-Stage Lifecycle
Most business owners imagine ransomware as a sudden event — screens lock, a demand appears. In reality, a typical attack unfolds over days or weeks before you see anything.
| Critical Insight
Effective ransomware defence stops the attack at Stages 1–3. By Stage 6 you are already in full crisis. The controls that matter most are those that prevent initial access, detect lateral movement, and protect backups from deletion not those that help you respond after encryption. |
Stage 1: Initial Access
An attacker gains their first foothold through a phishing email, exploited vulnerability, or stolen credentials. 54% of ransomware infections involve phishing at some stage. Compromised credentials account for another 21–23% of initial access events. Staff who understand phishing types and prevention from spear phishing to AI-generated voice impersonation — are significantly less likely to be the entry point.
Stage 2: Persistence and Privilege Escalation
Once inside, the attacker establishes persistence and escalates privileges toward administrator or domain controller access. The average dwell time was 82 days in 2025 attackers spent nearly three months inside networks before detection. This stage is silent. You will not know it is happening unless you have continuous monitoring in place.
Stage 3: Reconnaissance and Lateral Movement
The attacker maps your network, identifies where critical data and backups live, and moves between systems gathering credentials. Ransomware group Akira — one of the most active groups targeting Australian businesses in 2025 uses tools like Sharphound, ADFind, and Mimikatz at this stage as a standard playbook.
Stage 4: Data Exfiltration
87% of 2025 ransomware attacks exfiltrated data before encrypting it. Client records, financial files, and intellectual property are quietly copied to an external server. This is what enables double extortion even businesses that can restore from backup are threatened with data publication.
Stage 5: Ransomware Deployment and Backup Destruction
After weeks of preparation, the attacker deploys the encryption payload. Reachable backups are targeted and deleted first. Encryption then spreads rapidly across connected systems. A flat, unsegmented network means a single infected device can reach everything.
Stage 6: Ransom Demand
A ransom note appears. You now have a short window to make high-stakes decisions under maximum pressure exactly the wrong moment to be forming your incident response plan for the first time.
The Australian Ransomware Threat Landscape in 2026
Australia has become one of the world’s most actively targeted nations for ransomware. The 2025 data is stark:
| Metric | Figure |
|---|---|
| Increase in attacks targeting Australia | +67% year-on-year (2025) |
| Ransomware as % of Australian cyber incidents | 11% of all; 34% of Category 1 (highest-severity) |
| Average recovery cost — medium businesses | AUD $97,000 per incident |
| Average recovery cost — large businesses | AUD $202,700 per incident (up 219%) |
| % of Australian SMBs experiencing a ransomware attempt | 38% in FY2024–25 |
| Median ransom paid by Australian organisations | AUD $54,000 |
| % of AU organisations that paid the ransom | 41% (down from 66% prior year) |
| Attacks via Ransomware-as-a-Service (RaaS) | 70% of all encrypting attacks |
Sources: ACSC Annual Cyber Threat Report 2024–25 (cyber.gov.au), Sophos State of Ransomware in Australia 2025, OAIC NDB data.
One in three Australian businesses has experienced multiple ransomware incidents. This is no longer a question of if it is a question of when, and how prepared you are.
AI is making this worse. AI-driven cyber attacks use generative models to automate phishing campaigns at scale, craft more convincing lures, and accelerate lateral movement which is a key reason why global attack volumes surged 34–50% in 2025.
Ransomware-as-a-Service: Why Attack Volumes Have Surged
RaaS groups lease ransomware tools and infrastructure to affiliates who execute the attacks in exchange for a cut of the ransom. Groups like LockBit, ALPHV/BlackCat, RansomHub, and Akira all operate this way. The barrier to entry for launching a ransomware campaign has effectively collapsed — which is why global attack volumes surged 34–50% in 2025.
Types of Ransomware Attacks Australian Businesses Face
Crypto Ransomware
The most common type files are encrypted and a decryption key is withheld until payment is made. Even if you pay, research shows only 13% of victims receive all their data back. Paying also directly funds the attacker’s next campaign.
Double Extortion Ransomware
This is now the dominant model. 87% of 2025 attacks involved data theft before encryption. Attackers steal your data first, then encrypt it meaning even businesses that can restore from backup are still threatened with public data release. Having good backups no longer means you can ignore the extortion demand.
Triple Extortion
A third pressure layer is added on top of encryption and data theft: threatening to contact your clients, suppliers, or regulators directly, or launching DDoS attacks against your systems until you pay.
Ransomware-as-a-Service (RaaS)
Not a technical variant but an ecosystem that powers most attacks. RaaS now accounts for 70% of encrypting attacks. Any affiliate can lease a professional-grade ransomware platform — the skills barrier that once limited attacks to sophisticated criminals is gone.
Wiper Malware
Nation-state actors sometimes deploy wiper malware where data destruction, not extortion, is the goal. There is no decryption key because there was never any intention to offer one. Full recovery requires rebuilding from clean offline backups.
How Ransomware Enters Your Business
Understanding the entry points tells you exactly where to concentrate your defences first:
Exploited Vulnerabilities — 28–32% of Attacks
Unpatched software in operating systems, edge devices, VPNs, and firewalls is the single biggest ransomware entry point — and the most preventable. The Medibank breach began with an unpatched VPN credential. A network security audit will surface every unpatched system across your environment and rank them by exploitability and business impact.
Phishing Emails — 24% of Attacks
An employee receives a convincing email impersonating a supplier, the ATO, a bank, or an internal colleague, and either clicks a malicious link or opens an infected attachment. AI-generated phishing emails in 2026 are virtually indistinguishable from legitimate ones — which is why simulated phishing training is a non-negotiable control.
Compromised Credentials — 21–23% of Attacks
Stolen usernames and passwords — obtained through phishing, purchased from dark web markets, or discovered through credential stuffing give attackers legitimate-looking access that bypasses many security tools. Multi-factor authentication is the direct countermeasure: a stolen password is useless without the second factor, and it is the single highest-priority security control for any business that has not yet deployed it.
Exposed Remote Desktop Protocol (RDP)
Internet-facing RDP is continuously scanned and brute-forced by automated tools. If your RDP port is exposed to the internet without a VPN and MFA in front of it, you have an open door. Audit your external attack surface and ensure RDP is never directly internet-accessible.
Supply Chain and Third-Party Vendor Access
Attackers compromise trusted vendors’ software or remote access tools and use that relationship to reach your network. Remote monitoring tools used by MSPs have been specifically targeted for this reason. Network security threats like supply chain compromise are now among the hardest to defend against because the attacker arrives through a trusted channel your perimeter controls are configured to allow.
Australia’s Mandatory Ransomware Reporting Law: Cyber Security Act 2024
This is the most significant legal development for Australian businesses in 2026 — and most businesses still do not know it applies to them.
| Now in Full Enforcement — 1 January 2026
The Cyber Security Act 2024 introduced mandatory ransomware payment reporting. Phase 1 (education-first) ran May–December 2025. Phase 2 active compliance and enforcement commenced 1 January 2026. Businesses turning over $3M+ that pay a ransom have 72 hours to report to the ASD. Non-compliance risks civil penalties of up to $19,800. |
Key Requirements at a Glance
| Requirement | Detail |
|---|---|
| Who it applies to | Businesses with annual turnover ≥ AUD $3 million; critical infrastructure entities regardless of turnover |
| What triggers reporting | Any ransomware payment made by or on behalf of your business — including payments made by your insurer |
| Reporting deadline | Within 72 hours of making or becoming aware of the payment |
| Report submitted to | Australian Signals Directorate (ASD) |
| Penalty for non-compliance | Civil penalty up to $19,800 (60 penalty units) |
| Enforcement posture | Phase 2: active compliance and enforcement as of 1 January 2026 |
| Protections for reporters | Reported information is legally protected; generally cannot be used against you in proceedings |
What This Means for Your Incident Response Plan
If your annual turnover exceeds $3 million, your incident response plan must include a documented 72-hour ransomware payment reporting procedure. You need to know your reporting obligation before an attack — not during it.
Any incident involving personal data also triggers obligations under the Notifiable Data Breaches (NDB) scheme. Knowing how to respond to a data breach in the correct sequence covering both NDB notifications and Cyber Security Act 2024 reporting is essential preparation before an incident, not something to work out during one.
How to Prevent Ransomware: 10-Layer Defence Checklist
No single control eliminates ransomware risk entirely. What the following ten layers do is make a successful attack exponentially harder — and ensure that if one does occur, it is detected and contained early rather than running for 82 days unnoticed.
Layer 1: Patch Everything — Fast
Exploited vulnerabilities are the #1 ransomware entry point (28–32% of attacks). The ASD Essential Eight requires internet-facing services to be patched within 48 hours of a critical patch release at Maturity Level 2. The network security audit framework maps every system against these patch compliance requirements and produces a prioritised remediation roadmap.
Patching Priority Order
- Internet-facing services and edge devices — patch within 48 hours of critical release
- Operating systems on all endpoints and servers — patch within 2 weeks
- Third-party line-of-business applications — patch within 1 month
Layer 2: Enforce MFA on Every Account
Compromised credentials enable 21–23% of ransomware attacks. MFA is the direct countermeasure: a stolen password is useless without the second factor. Priority: email accounts, VPN, admin accounts, cloud platforms, then all other systems. For administrators and finance staff, hardware security keys (YubiKey) provide phishing-resistant MFA that proxy attacks cannot intercept.
- Use authenticator apps — not SMS only, which is vulnerable to SIM-swapping
- Block legacy authentication protocols (POP3, IMAP, basic SMTP auth) that bypass MFA
- Enable number-matching on push notifications to prevent MFA fatigue attacks
Layer 3: Application Control (Allowlisting)
Application control prevents unknown executables including ransomware payloads from running at all. The ASD Essential Eight rates this as its highest-impact single control. At Maturity Level 3, no unapproved application can execute on any endpoint. It is operationally complex, which is why most businesses implement it through managed IT services rather than leaving it to stretched in-house teams.
Layer 4: Disable Macros in Microsoft Office
Malicious macros in Word, Excel, and PowerPoint remain a primary delivery mechanism for ransomware payloads. Disable macros by default and allow them only for explicitly trusted, digitally signed documents. Microsoft 365 security configuration including macro restrictions, Conditional Access, and Defender for Business policies is included in every Hyetech deployment as a Microsoft Gold Certified Partner.
Layer 5: Harden and Restrict Remote Access
- Disable internet-facing RDP entirely if not required; place it behind a VPN with MFA if it is
- Enforce MFA on all VPN connections — no exceptions for legacy systems or temporary access
- Restrict access to registered, compliant devices using Conditional Access policies
- Review and revoke unused third-party vendor remote access privileges quarterly
A Zero Trust architecture validates every remote session continuously not just at login and treats every connection as potentially compromised until proven otherwise. It is the logical evolution beyond legacy perimeter-based controls and the model the ASD recommends for privileged access management.
Layer 6: Deploy Endpoint Detection and Response (EDR)
Legacy antivirus reacts to known signatures. Modern ransomware is specifically engineered to evade it. EDR uses behavioural analysis to detect unusual file encryption patterns, abnormal process execution, and lateral movement and can halt an attack mid-progress. Cyber insurers now require EDR as a baseline condition for coverage. Managed detection and response services pair EDR technology with 24/7 analyst response, so threats are acted on immediately rather than queued for the next business day.
Layer 7: Segment Your Network
A flat network where every device can reach every other device is a ransomware’s ideal environment one infected machine can reach and encrypt everything. Segmentation creates isolated zones that contain the blast radius. Network security auditing identifies flat network exposure and segmentation gaps as part of every Hyetech security assessment.
Layer 8: Train Staff — Regularly and Realistically
54% of ransomware infections involve phishing at some stage. Annual awareness videos are not sufficient in 2026. Effective training includes:
- Regular phishing simulations — employees who click receive immediate, in-context training
- AI-generated phishing and deepfake voice/video awareness — generic phishing training no longer covers the threat
- Clear reporting procedures: ‘I clicked something suspicious — who do I call right now?’
- MFA fatigue awareness: how to recognise and deny unexpected push notification approval requests
Layer 9: Audit and Secure Your Supply Chain
- Audit all third-party remote access privileges quarterly and revoke any that are unused or unnecessary
- Require MFA for all vendor access — no exceptions for legacy integrations
- Apply least-privilege principles — vendors access only the specific systems they need
- Request Essential Eight or ISO 27001 certification evidence from your highest-risk vendors
Layer 10: Monitor Continuously — 24/7
The average 82-day dwell time means an attacker can spend nearly three months inside your network undetected. Catching them in Stages 1–3 requires continuous monitoring. SIEM and SOC capabilities work together to correlate signals across endpoints, network, and cloud detection technology on one side, analyst-driven response on the other providing the visibility needed to catch threats before they reach encryption stage.
The 3-2-1 Backup Rule: Your Last Line of Defence
Even with the best prevention controls in place, a well-resourced attacker may still succeed. Clean, tested, offline backups are what allow you to recover without paying the ransom.
| The 3-2-1 Rule | What It Means in Practice |
|---|---|
| 3 copies of your data | Primary data + 2 additional independent copies |
| 2 different storage types | e.g., cloud backup + separate external drive or tape |
| 1 copy offline and offsite | Physically or logically isolated — unreachable by ransomware |
| Why ‘Offline’ Is the Critical Word
Ransomware specifically targets and destroys reachable backups before deploying encryption. A backup connected to your network or mapped as a network drive will be encrypted alongside everything else. Only an air-gapped or immutable backup survives. |
Four Requirements for Ransomware-Resilient Backups
Immutable Backups
Backups that cannot be modified or deleted for a defined retention period — even by an administrator with full credentials. This is supported natively in Azure Blob Storage and AWS S3 with Object Lock. Hyetech’s cloud computing solutions include immutable storage policies and tested restore procedures built into every managed backup deployment.
Regular Test Restores
A backup you have never tested is not a backup it is a hope. Test full restore procedures at least quarterly. Ransomware recovery is not the time to discover your backup has been silently corrupted. Document your recovery time objective (RTO) so you know exactly how long restoration takes before you ever need it.
Backup Monitoring and Protection
Ransomware groups specifically scout and disable backup infrastructure before deploying encryption. Your backup systems need their own MFA-protected admin access, integrity monitoring, and security controls not just an automated nightly job.
Air-Gapped Backups for Critical Data
For your most sensitive data client records, financial systems, configuration archives consider physical air-gapping: backups completely disconnected from all networks when not actively writing. Tape remains a highly effective medium for this at scale.
How to Respond to a Ransomware Attack: Step-by-Step
A ransomware attack is a crisis. The decisions made in the first two hours determine how much damage occurs and how quickly you recover. The goal is to have this plan documented and tested before an attack not to be formulating it during one.
Immediate Response — First 2 Hours
Step 1: Isolate Infected Systems
Disconnect affected devices from the network immediately unplug network cables, disable Wi-Fi. Do NOT shut down infected machines. Powering off can destroy forensic evidence and may trigger additional encryption in some ransomware variants. Isolate the device; do not power it off.
Step 2: Identify the Scope
Which systems are affected? Is the attack still spreading? Has your domain controller been reached? Contact your IT team or MSP immediately. The scope assessment drives your containment and recovery strategy.
Step 3: Preserve Evidence
Photograph ransom notes on screen. Log all timestamps and actions. Do not delete or wipe any systems — forensic evidence is required for insurance claims, law enforcement reports, and root cause analysis.
Step 4: Engage Your Incident Response Team
Your MSP, internal IT team, or specialist incident response firm. Do not attempt remediation without professional guidance well-intentioned but untrained remediation frequently destroys evidence and worsens outcomes.
Within 24 Hours
Step 5: Report to the ACSC
Report via ReportCyber at cyber.gov.au/report. The ACSC can provide tactical guidance, and the data protects other Australian businesses.
Step 6: Assess NDB Scheme Obligations
If personal data was accessed or stolen, you may have Notifiable Data Breaches obligations notification to the OAIC and affected individuals may be required within 30 days.
Step 7: Activate Ransomware Payment Reporting (if applicable)
If your turnover exceeds $3M and a ransomware payment is being considered, the Cyber Security Act 2024 requires reporting to the ASD within 72 hours. Engage legal counsel before any payment decision.
Step 8: Notify Your Cyber Insurer
Contact your insurer immediately. Most policies have strict notification timeframes missing them can void the claim. Your insurer may provide access to incident response resources and legal counsel.
Recovery Phase
Step 9: Restore from Clean Backups
Restore from your most recent clean, tested backup. Prioritise business-critical systems. Rebuild on clean infrastructure do not restore back onto a still-compromised environment.
Step 10: Identify and Close the Entry Point First
This must happen before restoration begins. 69% of businesses that paid a ransom were attacked again — typically because they restored onto the same compromised environment without identifying how the attacker got in. Forensic identification of the initial access vector is mandatory before any restoration work.
Step 11: Post-Incident Security Review
Conduct a formal review after recovery: what controls failed, what would have detected the attack earlier, what gaps need remediation. A cyber security audit at this stage provides an independent view of what broke and a structured roadmap for ensuring it cannot happen the same way twice.
Should You Pay the Ransom?
This is the most difficult decision in a ransomware incident. Here is the honest, evidence-based guidance:
| The Case Against Paying | The Case For Paying (limited circumstances only) |
|---|---|
| Only 13% of victims who pay receive all their data back | Critical data is irreplaceable and backups are absent or corrupted |
| 69% of businesses that pay are attacked again | Operational shutdown poses a direct risk to human health or safety |
| Paying funds the attacker’s next campaign | Forensic analysis confirms backup restoration is too slow for business survival |
| Attackers often publish stolen data anyway | |
| May violate sanctions laws if the group is sanctioned |
| The Most Important Point
The only reliable way to avoid this dilemma is tested offline backups. Businesses with clean, tested, offline backups do not need to pay they restore. Every dollar invested in backup resilience is a dollar that removes paying the ransom as a decision you will ever need to make. |
Businesses that work with a managed security provider are significantly less likely to reach the ransom demand stage in the first place. Outsourcing cybersecurity gives you continuous coverage, Essential Eight implementation, and 24/7 monitoring without the cost of building an in-house security team.
Ransomware and Cyber Insurance in Australia
Cyber insurance has become increasingly important for Australian businesses — and increasingly difficult to obtain following the surge in ransomware claims.
What Insurers Require in 2026
Many Australian insurers now mandate the following before issuing a policy and will deny claims if these were not in place at the time of an incident:
- MFA on email, VPN, and admin accounts — now a universal underwriting requirement
- Tested backups with documented restore procedures
- EDR deployed on all endpoints
- Patching within defined timeframes (typically 30 days for critical patches)
- Staff security awareness training conducted within the past 12 months
The Insurance and Reporting Law Intersection
If your insurer pays a ransom on your behalf, your Cyber Security Act 2024 reporting obligation still applies. Being reimbursed does not remove your 72-hour reporting requirement to the ASD.
| Insurance Is a Backstop — Not a Strategy
Businesses that invest in prevention are not just more secure they are also more insurable at lower premiums. Cyber insurance works best as a final layer of protection for well-defended businesses, not as a substitute for the controls that make ransomware survivable in the first place. |
Ransomware Prevention and the ASD Essential Eight
The ASD Essential Eight framework was built specifically to mitigate Australia’s most common cyber threats — and ransomware is the primary threat it addresses. Every single control directly reduces ransomware risk:
| Essential Eight Control | How It Addresses Ransomware |
|---|---|
| Application control | Prevents ransomware payloads from executing entirely |
| Patch applications | Closes the #1 entry point: exploited vulnerabilities |
| Configure Microsoft Office macros | Blocks malicious macro-based delivery |
| User application hardening | Reduces attack surface across endpoints |
| Restrict admin privileges | Limits lateral movement and privilege escalation |
| Patch operating systems | Closes additional vulnerability-based entry points |
| Multi-factor authentication | Eliminates credential-based initial access |
| Regular backups | Enables full recovery without paying the ransom |
Organisations at Maturity Level 2 are significantly more resilient than unprotected businesses. Level 3 organisations are highly resistant to all but the most sophisticated nation-state attacks. Knowing the signs your network needs an audit is a practical first step if you are unsure whether your current controls are adequate.
The Essential Eight also integrates with a broader Zero Trust security model, creating defence-in-depth that stops ransomware at multiple points in the attack lifecycle. Zero Trust best practices and Essential Eight compliance are complementary — implementing both creates a posture that stops even sophisticated attackers at Stage 1 or 2.
Conclusion
Ransomware is not a future risk for Australian businesses. It is the defining cybersecurity threat right now — active, escalating, and increasingly professionalised. In 2025, Australia experienced a 67% surge in attacks, average recovery costs for medium businesses hit AUD $97,000, and 38% of Australian SMBs faced an attack attempt. The Medibank and MediSecure breaches demonstrated what inadequate controls look like at the worst possible scale.
But the same data shows exactly what works. Businesses that patch within 48 hours, enforce MFA on every account, deploy EDR, maintain tested offline backups, and operate with continuous monitoring either avoided incidents entirely or recovered without paying. These are not expensive or exotic controls. They are the ASD Essential Eight applied consistently.
Ransomware protection is not an insurance purchase. It is a set of operational decisions made before an attack occurs and the only decisions that actually change your outcome.
The Cyber Security Act 2024 has now made this a legal obligation for businesses turning over $3 million or more. Mandatory 72-hour ransomware payment reporting is in full enforcement. Regulators, insurers, and enterprise clients are aligned: baseline security controls are no longer optional for any Australian business.
Hyetech’s cybersecurity solutions program covers the full stack Essential Eight gap assessments, immutable cloud backup, MFA rollout, EDR deployment, and 24/7 SOC monitoring all delivered by a Microsoft Gold Certified Partner with over a decade of experience protecting Australian businesses.
| Ready to Assess Your Ransomware Readiness?
Contact Hyetech for a free ransomware readiness review. We assess your current controls against the ASD Essential Eight, identify your highest-risk gaps, and deliver a prioritised remediation roadmap without disrupting your operations. |
Frequently Asked Questions
Q1: What is ransomware in simple terms?
Ransomware is malicious software that encrypts your business files and demands payment — usually in cryptocurrency — to restore access. Modern ransomware also steals your data before encrypting it, threatening to publish it publicly if you refuse to pay. This is double extortion and is now the dominant attack model in 2026.
Q2: How does ransomware enter a business network?
The three most common entry points are exploited vulnerabilities in unpatched software or devices (28–32% of attacks), phishing emails that trick staff into clicking malicious links or opening infected attachments (24%), and compromised credentials purchased from dark web markets or obtained through phishing (21–23%). Exposed RDP and supply chain attacks via trusted vendors are also significant vectors.
Q3: What should I do immediately if my business is hit by ransomware?
Isolate infected devices from the network immediately (unplug cables, disable Wi-Fi — but do NOT shut down infected machines). Preserve all evidence. Contact your IT team or MSP. Report to the ACSC via ReportCyber. Contact your cyber insurer. Do not attempt remediation without professional guidance, and do not restore onto any system until the initial entry point has been identified and closed.
Q4: Should an Australian business pay the ransom?
In most cases, no. Only 13% of victims who pay receive all their data back. 69% are attacked again. Paying often fails to prevent data publication in double extortion scenarios. If your turnover exceeds $3M, paying also triggers a mandatory 72-hour reporting obligation under the Cyber Security Act 2024. The best strategy is to avoid this decision entirely by having tested offline backups.
Q5: Is ransomware payment reporting mandatory in Australia?
Yes — for businesses with annual turnover exceeding AUD $3 million. The Cyber Security Act 2024 requires these businesses to report any ransomware payment to the Australian Signals Directorate within 72 hours. This entered full enforcement on 1 January 2026. Non-compliance risks civil penalties of up to $19,800.
Q6: What is double extortion ransomware?
Double extortion means attackers steal your data before encrypting it, then threaten to publish it publicly if you refuse to pay — even if you can restore from backup. 87% of 2025 ransomware attacks involved data exfiltration before encryption. Having good backups protects you from the encryption, but not automatically from the extortion threat.
Q7: How do backups protect against ransomware?
Offline or immutable backups — stored separately from your network and protected against deletion — cannot be reached or encrypted by ransomware. Businesses with tested offline backups can restore their systems without paying. The three requirements are: offline or immutable storage, regular test restores (quarterly minimum), and backup monitoring to detect tampering before you need to use the backup.
Q8: What is the ASD Essential Eight and how does it relate to ransomware?
The Essential Eight is the Australian Signals Directorate’s framework of eight foundational cybersecurity controls. Every control directly reduces ransomware risk: application control prevents ransomware from executing, patching closes the most common entry points, MFA blocks credential-based access, and regular backups enable recovery without paying. Organisations at Maturity Level 2 are significantly more resilient against ransomware.
Q9: How much does a ransomware attack cost an Australian business?
For Australian medium businesses, average recovery costs reached AUD $97,000 per incident in 2025 — up 12% year-on-year. Large businesses averaged AUD $202,700, up 219%. These figures cover only remediation costs. Total all-in costs — including ransom payments, legal fees, regulatory fines, reputational damage, and revenue lost during an average 24-day downtime — frequently reach multiples of these figures.
Q10: What is the difference between ransomware and a data breach?
A data breach involves unauthorised access to and theft of data. Ransomware typically combines a data breach (theft) with encryption, making it both a data breach and a business disruption event simultaneously. Both trigger Notifiable Data Breaches (NDB) scheme reporting obligations under the Privacy Act. Ransomware involving a payment also triggers the separate Cyber Security Act 2024 reporting requirements