Australian ransomware victims now must tell the government if they pay up

Australia became on Friday the first country in the world to require victims of ransomware attacks to declare to the government any extortion payments made on their behalf to cybercriminals.

The law, initially proposed last year, only applies to organizations with an annual turnover greater than AUS $3 million ($1.93 million) alongside a smaller group of specific entities working within critical infrastructure sectors. The turnover threshold is expected to capture just the top 6.5% of all registered businesses in Australia, comprising roughly half of the country’s economy.

Reports will be made to the Australian Signals Directorate (ASD) within 72 hours. Companies that fail to make a report could receive 60 penalty units within the Australian civil penalty system.

The government said it would initially focus on pursuing “egregious” cases of noncompliance, but otherwise intends to constructively engage with any relevant victims until the beginning of next year, when it said the regulatory approach would harden.

The mandatory reporting requirement is intended to provide the ASD and the country’s other authorities with better visibility over the nature of the ransomware threat.

“Current voluntary reporting mechanisms are underutilised and consequently, ransomware and cyber extortion attacks remain significantly underreported,” the Australian government stated when the law was originally proposed.

“The Australian Institute of Criminology indicates that only one in five victims of a ransomware attack report the attack. As a result, government lacks visibility of the economic and social impact of ransomware in Australia.”

It follows cybersecurity rising up the political agenda in Australia, spurred by a series of high-profile cyberattacks against private businesses, including those affecting Optus, Medibank and MediSecure.

A similar move has been proposed in the United Kingdom, where earlier this year the government launched a consultation on banning public sector bodies and privately-owned critical infrastructure entities from making extortion payments, and requiring all victims to report incidents to the government.

The intention of a payment ban is to make “the essential services the country relies on the most unattractive targets for ransomware crime.”

According to the British announcement, anyone who wants to make a payment would also be required to report this intent to the government, which would make an assessment and have “a power to block any payment (e.g., to a suspected sanctioned entity or state).”

The additional insight into payments will be helpful for sanctions authorities. Information obtained by Recorded Future News last year revealed the agency responsible for monitoring financial sanctions in Britain has never detected an illicit payment to an entity embargoed under the country’s counter-ransomware regime.

Read more: UK government urged to get on ‘forward foot’ with ransomware instead of ‘absorbing the punches’

Speaking to Recorded Future News, Jeff Wichman, the director of incident response for Semperis, said the mandatory reporting requirement was unlikely in itself to stop attacks.

“Granted, the government gets data on the attackers that are making the money. They likely get the indicators of compromise of the attacks, they get communications from the negotiators and the attacker, but that does nothing in the grand scheme of things other than build a profile of the attackers,” said Wichman.

“All it does, in my opinion, is it publicly shames the companies who have to report it if it really does become public,” he said. That could have value, he added, “but in the grand scheme of things — at least from my perspective, and maybe I’ve got a jaded personality — a company gets hit with ransomware and nine times out of 10, they’re paying the ransom.

The figure of 90% dates back to Wichman’s days doing ransomware negotiations at cybersecurity company Palo Alto Networks, where he said the payment levels he saw were biased towards victims bringing in negotiators when they were already considering paying.

According to a more recent study by Semperis, of 1,000 companies hit by attacks in the United States, United Kingdom, France and Germany, more than 70% paid.

Stopping payments

There is some suggestion that ransomware payments dropped worldwide last year, with a report by blockchain intelligence firm Chainalysis identifying a surprising and significant drop of around 35% in 2024, indicating the impact of  disarray in the ransomware ecosystem following the disruption operation targeting LockBit, the market-leading ransomware group, as well as the exit scam by the AlphV/BlackCat group.

But according to Wichman, many companies do still pay and hope to pay quickly.

“You’d be surprised,” he said. “Some companies, they just want to pay it and get things done, to get their data off the dark web.  Others, it’s a delayed response perspective, they want negotiations to happen with the attacker while they figure out what happened.”

Governments around the world, particularly those involved in the Counter Ransomware Initiative, have called on victims not to make extortion payments, arguing they only fuel the criminal ecosystem and do not guarantee that encrypted material will be recovered or that stolen data will be deleted.

Semperis found that in around 40% of cases where a payment had been made, victims were provided with corrupted decryption keys.

“There is no regulation that can be put in place from a government entity that is going to solve the source of ransomware attacks until faster and more responsive measures are taken against the actual threat actors,” said Wichman.

Increased disruptions from law enforcement would provide an effective dump in the road, added Wichman, but wouldn’t be the ultimate solution: “What this really comes down to is organisations need to assume they’ll be breached, be resilience, and put the protections in place and make it harder for the attackers to get in.”