Ransomware payments rise to AUD $1.35m for Australian firms

New research by McGrathNicol has highlighted the growing challenge of ransomware facing Australian businesses, coinciding with recent cybersecurity reforms introduced by the Federal Government.

The firm's fourth annual ransomware survey, conducted in conjunction with YouGov, gathered insights from 500 Australian business leaders across companies with more than 50 employees. The results underscored a significant increase in ransomware payments, which have now reached an average of AUD $1.35 million, a substantial rise from AUD $1.03 million in 2023.

McGrathNicol reported that 84 per cent of businesses attacked by ransomware in the past five years chose to pay the ransom. This percentage has risen from previous years, indicating an increasing tendency among businesses to comply with attackers' demands.

The survey additionally found that 75 per cent of businesses that opted to pay did so within 48 hours, suggesting that quick decision-making under pressure is a common response to such attacks. A notably high proportion of businesses, 83 per cent, expressed willingness to pay should they face a ransomware attack, up from 70 per cent in the previous year.

Darren Hopkins, a Cyber Partner at McGrathNicol, remarked on the necessity of mandatory reporting, saying, "Business leaders are overwhelmingly in support of mandatory reporting. Our research shows that 79 percent believe businesses should be required to report a ransomware attack. We applaud the government's ransomware reporting changes but note the requirement of more than $3 million in turnover."

Despite the federal measures, Hopkins noted, "Under the new legislation, many small to medium businesses will be attacked, pay a ransom, and still not have to report it. We encourage the government to consider expanding the scheme so that we can quantify just how much money is being funnelled to cyber criminals every day of the year."

He added, "Our research shows that having to report a payment will unlikely influence whether a business will make a ransom payment while they believe it is legal to do so."

It was also revealed that businesses are becoming more proactive regarding cybersecurity measures, with 91 per cent insured against ransomware attacks, covering an average of AUD $1.47 million. The number of businesses with an incident response plan rose to 80 per cent, and 77 per cent now have a formal protocol for notifying their boards, reflecting increased preparedness.

Brendan Payne, also a Cyber Partner at McGrathNicol, emphasised the importance of incident response planning, "A best practice cyber incident response plan will detail roles and responsibilities in the event of an attack, including decisions on whether the business will pay a cyber ransom and negotiate, or whether a payment is to be avoided under any circumstance. The plan should also outline recovery steps, communication plans, and the details of a person responsible for reporting the incident to the authorities and external advisers."

Payne further advised, "Cyber criminals won't wait until you're ready. We encourage organisations to review their response plans at least quarterly."

The report comes as the government implements new cybersecurity legislation, requiring companies with a turnover exceeding AUD $3 million to report ransomware payments to the Australian Signals Directorate within 72 hours. Failure to report such payments could result in fines of up to 60 penalty units, amounting to AUD $18,780.