Full Report
The average ransom paid by Australian companies following a cyber-attack has dropped to AUD $711,000, almost halving from its peak of AUD $1.35 million last year. The latest data reflects changing attitudes among business leaders towards dealing with ransomware threats and increasing preparedness across the sector. Payment rates decline A new survey of over 800 Australian business owners and executives found that 64 percent of local leaders who suffered a ransomware attack in the past five years had paid a ransom. This marks a considerable reduction from 84 percent reported last year. Despite the continuing threat, fewer companies are now opting to pay, and those who do appear to be negotiating lower payments. The amount businesses say they would be willing to pay in the event of an attack also fell, now sitting at AUD $906,000 compared to AUD $1.42 million previously.
Analysis Summary
# Incident Report: Decline in Australian Ransomware Payment Averages (2024/2025)
## Executive Summary
Recent survey data indicates a significant shift in Australian corporate response to ransomware incidents, with the average paid ransom dropping nearly 50% to AUD $711,000 from the previous year's peak of AUD $1.35 million. This decline correlates with increased preparedness across the sector and a reduced willingness to pay, although Small to Medium-sized Enterprises (SMEs) remain the primary target demographic.
## Incident Details
- Discovery Date: Not explicitly stated (Reflecting recent survey findings over the past year)
- Incident Date: Trends covering the last five years, with specific comparison points between the current year and the previous year.
- Affected Organization: N/A (Aggregate industry survey data)
- Sector: Various Australian Businesses (SMEs heavily represented)
- Geography: Australia
## Timeline of Events
*Note: This report analyzes trends rather than a single specific incident timeline.*
### Initial Access
- Date/Time: Ongoing trend, prevalent over the last five years.
- Vector: Attack vectors are implied (Ransomware attacks), but specific vectors (e.g., Phishing, Exploitation) are not detailed in the context.
- Details: SMEs (89% of victims in the past year) are the most likely targets due to perceived lack of dedicated resources.
### Lateral Movement
- Details: Not specified.
### Data Exfiltration/Impact
- Details: Supply chain impact is significant, with over half of breached respondents reporting severe or significant impact on their supply chain.
### Detection & Response
- Details: Increased executive engagement, higher levels of preparedness, and nearly one-third of respondents successfully defended against attacks.
- Response Actions: Increased adoption of formal board notification protocols, crisis planning, and incident response plans.
## Attack Methodology
*Note: Specific TTPs were not disclosed, but general attack context informed the following categories based on observable outcomes:*
- Initial Access: Ransomware deployment (Implied).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: Not specified.
- Exfiltration: Implied for impact assessment, but not detailed.
- Impact: Operational disruption, severe supply chain impact.
## Impact Assessment
- Financial: Average ransom paid decreased to AUD $711,000 (Peak was AUD $1.35M). Willingness to pay also dropped to AUD $906,000.
- Data Breach: Not specified what data specifically, but breach events occurred.
- Operational: Over half of breached companies experienced severe or significant impact on their supply chain.
- Reputational: Executives cite rising regulatory and reputational scrutiny as a factor influencing payment decisions.
## Indicators of Compromise
- Not applicable (Report analyzes mitigation and payment trends, not specific IoCs from an incident).
## Response Actions
- **Pre-Incident/Preparedness:** Increased investment in prevention, detection, and strong incident response capabilities (per expert recommendation).
- **Post-Incident:** Increased adoption of formal board notification protocols and crisis planning.
- **Regulatory Context:** 71%-76% support for mandatory ransomware reporting under the Cyber Security Act.
## Lessons Learned
- Paying a ransom does not guarantee data recovery, nor does it prevent future attacks (1 in 5 respondents experienced recurrence regardless of payment).
- SMEs remain highly vulnerable targets due to a lack of dedicated cyber security teams.
- Proactive resilience and recovery strategies are gaining traction over reactive payment.
- Insurance coverage limits are falling, potentially influencing payment calculations.
## Recommendations
- Executives should not become complacent regarding prepared states, even those earning AUD $10M+ annually.
- Organizations must continue to invest robustly in prevention, detection, and incident response capabilities, as relying on criminals is futile.
- Leverage threat intelligence sharing supported by mandatory reporting frameworks to enhance collective defense.