TL;DR: Canberra authorities are embracing a tough approach to ransomware threats. A new law will require certain organizations to disclose when and how much they have paid to cybercriminals following a data breach. However, experts remain unconvinced that this is the most effective way to tackle the problem.
Companies operating in Australia must now report any payments made to cybercriminals after experiencing a ransomware incident. Government officials hope the new mandate will help them gain a deeper understanding of the issue, as many enterprises continue to pay ransoms whenever they fall victim to file-encrypting malware.
Originally proposed last year, the law applies only to companies with an annual turnover exceeding $1.93 million. This threshold targets the top 6.5 percent of Australia's registered businesses – representing roughly half of the country's total economic output.
Under the new law, affected companies must report ransomware incidents to the Australian Signals Directorate (ASD). Failure to properly disclose an attack will result in fines under the country's civil penalty system.
Authorities are allegedly planning to follow a two-stage approach, initially prioritizing major violations while fostering a "constructive" dialogue with victims.
Starting next year, regulators will adopt a much stricter stance toward noncompliant organizations. The Australian government has implemented this mandatory reporting requirement after concluding that voluntary disclosures were insufficient. In 2024, officials noted that ransomware and cyber extortion incidents were vastly underreported, with only one in five victims coming forward.
Ransomware remains a highly complex and growing phenomenon, with attacks reaching record levels despite increased law enforcement actions against notorious cyber gangs. Although several governments have proposed similar regulations, Australia is the first country to formally enact such a law.
Jeff Wichman, director of incident response at cybersecurity firm Semperis, cautions that mandatory reporting is a double-edged sword. While the government may gain valuable data and insights into attacker profiles, the law may not reduce the frequency of attacks.
Instead, it could serve mainly to publicly shame breached organizations – while cybercriminals continue to profit. A recent Semperis study found that over 70 percent of 1,000 ransomware-hit companies opted to pay the ransom and hope for the best.
"Some companies, they just want to pay it and get things done, to get their data off the dark web. Others, it's a delayed response perspective, they want negotiations to happen with the attacker while they figure out what happened," Wichman explained.
According to the study, 60 percent of victims who paid received functional decryption keys and successfully recovered their data. However, in 40 percent of cases, the provided keys were corrupted or ineffective.