Ransomware Is Australia's Top Cyber Threat β And the Costs Are Climbing Fast
Ransomware made up 34% of Australia's most damaging cyber incidents last year, with average payments reaching $1.35 million. Here's what your board needs to know.
Ransomware is no longer an emerging threat β it's the defining cyber risk for Australian organisations. The Australian Signals Directorate's Annual Cyber Threat Report for 2024β25 makes that clear: while ransomware comprised 11% of all reported cyber incidents, it accounted for 34% of the most damaging incidents that the ACSC responded to. The agency handled 138 ransomware cases during the financial year, with healthcare sector incidents doubling.
For business leaders, the numbers demand attention. Industry data indicates that 69% of Australian businesses have experienced a ransomware incident in the past five years. The average ransom payment has increased to approximately $1.35 million β up from $1.03 million the previous year.
The anatomy of a modern ransomware attack
The days of simple file encryption are long gone. An estimated 87% of ransomware attacks in 2025 involved data exfiltration before encryption β the so-called "double extortion" model. Attackers steal your data first, then encrypt your systems, giving them two points of leverage: pay to recover your operations, and pay again to prevent your data being published.
The Australian Institute of Criminology's research found that 54% of ransomware infections begin with phishing, while 21β23% involve compromised credentials. Average dwell time β the period between initial compromise and detection β was 82 days. That's nearly three months of an attacker moving through your environment undetected.
The payment question
The research tells an evolving story on ransom payments. While one study found that 84% of victims paid, the Australian Institute of Criminology's data suggests a different picture β only 41% of Australian organisations are now paying, down from 66% in earlier periods. Neither number is reassuring.
Of those that did pay, none recovered operations in under an hour. Nearly a quarter took more than 24 hours to restore operations even after paying β undermining the core premise that payment buys a fast recovery.
New reporting obligations
The Cyber Security Act 2024 introduced mandatory ransomware payment reporting for businesses with annual turnover exceeding $3 million. From January 2026, these organisations must report ransom payments to the Australian Signals Directorate within 72 hours. Failure to report carries penalties.
This isn't just an administrative requirement. It reflects a broader government push to improve visibility into the ransomware ecosystem and build a more accurate picture of its impact on the Australian economy.
What your board should be asking
Do we have a tested incident response plan that specifically addresses ransomware? Are our backups truly immutable and regularly tested for restoration? How quickly could we recover core business operations without paying a ransom? And are we meeting our mandatory reporting obligations under the Cyber Security Act?
Building resilience, not just defences
SMEs account for approximately 71% of Australian ransomware victims β largely because they lack the dedicated security resources that larger organisations can afford. But resilience doesn't require an enterprise-scale budget.
The fundamentals still apply: implement and maintain strong backup practices (offline, immutable, tested), enforce multi-factor authentication across all access points, keep systems patched, and train your people to recognise phishing. Beyond that, ensure you have a documented, rehearsed incident response plan that your leadership team understands β not just your IT team.
The ACSC responded to over 1,200 cyber incidents in the past financial year, an 11% increase, and received over 42,500 calls to the Australian Cyber Security Hotline. The threat is not receding. The question is whether your organisation is prepared.