Australia's big end of town is paying ransomware groups

At least 75 Australian businesses with a turnover of more than $3 million have admitted paying off ransomware groups in the first eight months of mandatory disclosure, iTnews can reveal.

The payments are being made despite advice from the Australian Signals Directorate (ASD) not to do so, and confirm that domestic organisations remain a lucrative target for threat groups.

Since May 30 last year, non-critical infrastructure businesses with $3 million or more turnover have faced compulsory reporting to Home Affairs and the ASD, should they elect to pay a ransom.

Sydney-based cyber security firm Secolve obtained the bulk of the payment numbers via a freedom of information request in November last year, which it shared exclusively with iTnews. 

iTnews has since obtained more up-to-date numbers from Home Affairs.

The numbers show that between seven and 13 organisations with turnover of at least $3 million paid ransom every month, indicating that for larger businesses, such payments are a regular occurrence. 

In addition to this, a Home Affairs spokesperson said that entities responsible for critical infrastructure - a cohort that also faces mandatory disclosure - made 19 ransomware payment reports in the the eight months to January 2026.

That brings the total number of known ransomware payments by Australian organisations up to 94 for the period.

However, as authorities do not track ransoms paid by businesses with less than $3 million annual turnover, the total number could be even higher.

Ransoms seen as the only realistic option

Secolve founder and CEO Laith Shahin told iTNews that he doesn't think any ransomware victim wants to pay their attacker.

“When companies find themselves between a rock and a hard place, paying a ransom may be the fastest or least disruptive way to recover their operations," Shahin said.

"Given the potential reputational damage if their data was leaked, a relatively small payment may be the cheapest or most predictable outcome."

Shahin said that for large organisations, any downtime could potentially cost millions of dollars.

Critical infrastructure providers, meanwhile, have to consider that disruptions to operations could put lives, or critical services, at risk.

"It's not always an easy black-and-white decision," Shahin said.

Shahin said that the officially reported numbers could just be the tip of the iceberg, as the vast majority of businesses in Australia are not subject to mandatory reporting regulations.

“Businesses will always be more inclined to pay if they don’t have the right processes in place to respond to a ransomware incident," Shahin said.

"If you don’t have an incident response plan, a continuity plan, a comms plan, and your data isn’t backed up, paying the piper is going to seem more appealing."

Second phase of reporting obligations with fines started in January

Home Affairs has now moved to the second phase of the legally mandated ransomware and cyber extortion incident reporting program.

This will shift to a combined education, compliance and enforcement focus, whereas the first phase was more about creating awareness and familiarty with the reporting obligation.

Non-compliance with the reporting obligations within 72 hours of incidents can lead to fines of up to 60 penalty units, which is currently $19,800.

Legally, information detailing individual payment amounts is protected by specific permitted use restrictions under the Cyber Security Act 2024, a Home Affairs spokesperson said.

"Going forward, the government will continue to engage with regulated entities, provide educational resources, and further its regulatory posture for compliance and enforcement of the regime," the spokesperson added.

The department expects the number of ransomware payments to increase as familiarity with the obligation continues to grow.

Meanwhile, the ASD confirmed that the government's advice is that Australian businesses and organisations should not pay ransoms.

"When paying a ransom to criminals, there is no guarantee that you will regain access to your information, or prevent it from being sold or leaked online," an ASD spokesperson told iTNews.

"You may also be targeted by another attack," the spokesperson added.

ASD provides advice and guidance at cyber.com.au on ransomware risks and mitigation advice.