Australian organisations are facing a surge in ransomware activity driven by both criminal groups and nation-state actors, according to Cohesity vice-president James Blake. He says the scale and speed of attacks now demand a shift toward preparedness and operational resilience.
"When you look at ransomware, any organisation is where the money is. It doesn't matter whether you're a school, a hospital, a manufacturing organisation, a bank, a library. All of these things are legitimate targets for ransomware. The motivations are so high, the attack surface is so great, we can't stop ransomware."
Blake says organisations must also contend with more destructive activity linked to global tensions. "We have never needed cyber resiliency more than we need it now."
Despite rising spending, he says capability gaps remain.
"Cyber is a very big topic, and it's very different than cyber security. I certainly worked for a bank where we spent a billion dollars a year on cyber security. Did it stop us having an incident? No, it didn't. There is no linear correlation between head count in your security team, budget you're spending on security and your operational residency capability."
He says leaders should avoid inflating maturity scores and should confront their real starting point. "If the baby's ugly, let's call it ugly, because then you know where you're starting from."
Blake argues that most weaknesses are operational rather than technological. "Look at what your weakest area is in that baseline. Focus on that rather than just stalling with perfection paralysis and not moving forward."
He says human factors and internal silos often slow ransomware recovery. "With ransomware, every second counts. The IT team think it's a business continuity incident. You're trying to use the same tools for threat hunting, for forensics, and it's not going to find it because it's been evaded."
In several incidents, even physically entering the building became impossible. "We couldn't get in the building. Door access control system had been wiped. Voice over IP is down. SharePoint has been encrypted." In one case, responders were forced to cut through locks: "We cut the locks off the doors."
Blake says attackers like Scattered Spider have intensified the challenge.
"Their focus is largely on identity-based attacks and living off the land, which makes them extremely difficult to find. They are compromising third-party identity providers, and then when they get in, they're not using traditional malware techniques. They are largely using your own IT tooling. They are using vulnerable device drivers, turning EDR XDR off. They are shifting targets and geographies. No one's safe."
He says the involvement of nation-state actors is growing clearer.
"Russia are starting to target the ransomware operators and then offering them jobs. We have seen false flag operations where espionage has taken place by nation state actors, and then once they have finished exfilling the data, they hand the access over to a ransomware gang. And we have also seen people moonlighting."
To build trust in resilience, Blake says leaders need realism and constant improvement.
"The trust in their resiliency strategy requires you to be brutally honest about where you are. Cyber residency is a chain, and the weakest area of that, people, process and technology, will let down your overall capability. Just do something better than you did it yesterday again and again and again."
Despite the challenges, he says Australia is well positioned. "You're not in a different situation than organisations in the West. One thing that I really like about Australia is ASD is very on it. And the government's stopping people paying sanctioned entities. There are some really positive aspects of Australia that should give you really good hope going forward."