https://www.itnews.com.au/news/australias-big-end-of-town-is-paying-ransomware-groups-623791
At least 75 Australian businesses with annual turnover exceeding $3 million have admitted to paying ransomware demands during the first eight months of mandatory disclosure requirements. The payments represent a consistent monthly pattern, with between seven and thirteen larger organisations paying ransoms each month since May 2025 when non-critical infrastructure businesses became legally obligated to report such payments to Home Affairs and the Australian Signals Directorate. Additionally, entities responsible for critical infrastructure made 19 ransomware payment reports during the same period, bringing the total confirmed ransomware payments to 94 organisations. However, it is believed that these figures likely represent only a fraction of actual payments since businesses with less than $3 million annual turnover face no mandatory reporting requirements.
The persistent payment pattern contradicts explicit advice from the Australian Signals Directorate urging organisations not to negotiate with attackers, as paying ransoms provides no guarantee of data recovery or protection against future attacks and may invite subsequent targeting. However victims find themselves caught between difficult choices, with ransom payments often appearing as the fastest or least disruptive path to operational recovery when considering potential reputational damage from data leaks. For large organisations, operational downtime can cost millions of dollars, while critical infrastructure providers must weigh the risks to essential services and public safety. Organisations lacking proper incident response plans, continuity strategies, communications frameworks, and reliable data backups are significantly more likely to view ransom payments as their only viable option.
The Australian government has now transitioned to the second phase of its ransomware reporting program, shifting from an educational and awareness-building approach to a combined compliance and enforcement focus beginning in January 2026. Non-compliance with the 72-hour reporting obligation can result in fines of up to 60 penalty units, currently valued at $19,800, though specific payment amounts remain protected under permitted use restrictions in the Cyber Security Act 2024. Home Affairs expects the number of reported ransomware payments to increase as familiarity with reporting obligations continues to grow among regulated entities. An ASD spokesperson reiterated the government’s position that paying ransoms offers no assurance of information recovery, prevents data from being sold or leaked online, and may encourage additional attacks against the same victims.