Ransomware is the most common cyber extortion method used against Australian businesses. The ACSC reported that over 70 per cent of extortion-related incidents in 2023-24 involved ransomware. The average cost of a breach for a mid-sized Australian business sits around $276,000 — and that does not include the reputational damage, lost productivity, or regulatory consequences.
Since the last time we wrote about this topic, the regulatory environment has changed significantly. Mandatory ransomware payment reporting is now in force, the Cyber Security Act 2024 has introduced new obligations, and insurers are requiring more evidence of proactive protection than ever before.
This is what Perth businesses need to know about ransomware protection in 2026.
Since 30 May 2025, Australian businesses with annual turnover exceeding $3 million, along with entities responsible for critical infrastructure assets, must report any ransomware or cyber extortion payment to the Australian Signals Directorate within 72 hours of making the payment.
The initial six-month grace period ended on 31 December 2025. Since 1 January 2026, the Department of Home Affairs has shifted to an active compliance and enforcement posture. Non-compliance carries a civil penalty of up to 60 penalty units — currently $19,800 — plus heightened regulatory scrutiny and reputational consequences.
Paying a ransom is not illegal in Australia, but the ASD does not recommend it. Payment does not guarantee you will get your data back, it funds criminal organisations, and it marks you as a willing payer for future attacks.
If your incident response plan does not include a process for meeting the 72-hour reporting window, it needs updating now. We cover the full reporting obligations in our mandatory ransomware reporting guide.
Ransomware is malicious software that encrypts your files or locks your systems, then demands payment to restore access. Modern ransomware goes further — attackers often steal your data before encrypting it, then threaten to publish it if you do not pay. This double extortion model means that even businesses with good backups face pressure to pay.
The most common entry points we see in Perth businesses are phishing emails with malicious attachments or links, compromised credentials — particularly where MFA is not enforced, unpatched vulnerabilities in internet-facing systems, and exposed remote desktop services.
Once inside, attackers typically spend days or weeks moving through your network before deploying the ransomware. They escalate privileges, disable security tools, identify and delete backups, and then encrypt everything simultaneously. By the time you see the ransom note, the damage is already done.
There is no single product that stops ransomware. Protection requires multiple layers working together — prevention, detection, containment, and recovery.
Enforce MFA on every account. Not just admins — every user, every application, no exceptions. Credential theft is the number one entry point and MFA blocks over 99 per cent of account compromise attacks. Use phishing-resistant methods like passkeys or Microsoft Authenticator with number matching, not SMS codes.
Patch quickly. The Essential Eight framework requires patching critical vulnerabilities within 48 hours at Maturity Level 2 and above. Many ransomware attacks exploit vulnerabilities that have had patches available for months.
Application control. Restrict what software can run on your systems. This prevents ransomware from executing even if it reaches a device. Application control is the single most effective Essential Eight mitigation strategy.
User awareness training. Your staff are the first line of defence against phishing. Regular security awareness training with simulated phishing exercises reduces click rates significantly over time.
Endpoint detection and response (EDR). Traditional antivirus is not enough. EDR monitors endpoint behaviour in real time, detects suspicious activity patterns, and can automatically isolate compromised devices before ransomware spreads.
24/7 security monitoring. Our managed security clients have their environments monitored around the clock through our Partner SOC. Automated containment activates immediately for known threats — malware quarantine and account blocking happen in seconds, not hours.
Network segmentation. Dividing your network into zones limits how far ransomware can spread if it gets past your perimeter. If an attacker compromises a workstation in one segment, they should not be able to reach your servers or backup systems without hitting another layer of controls.
Immutable backups. Your backups must be protected from the ransomware itself. Attackers specifically target and delete backups before deploying encryption. Immutable backups cannot be modified or deleted by anyone, including administrators with compromised credentials.
Offline or air-gapped copies. At least one copy of your critical data should be stored disconnected from your network. This is your last line of defence if everything else fails.
Tested restoration. A backup that has never been tested is not a backup — it is a hope. We test restoration monthly for our Essential Eight clients to confirm that data can actually be recovered within the required timeframe.
The ACSC’s Essential Eight framework was specifically designed to prevent and limit the impact of cyber attacks including ransomware. All eight mitigation strategies contribute to ransomware defence:
Application control stops ransomware from running. Patching closes the vulnerabilities it exploits. MFA prevents the credential theft that gets attackers in the door. Restricting admin privileges limits what they can do once inside. Application hardening reduces the attack surface. Restricting Office macros blocks a common delivery mechanism. Regular backups ensure recovery. User application hardening limits browser-based attack vectors.
If you are working toward Essential Eight Maturity Level 2, you are building a strong ransomware defence by default. The framework is not theoretical — it is built from real-world incident data about what actually stops attacks.
If ransomware deploys in your environment, the first minutes matter. Isolate affected systems immediately — disconnect them from the network to stop the spread. Do not turn them off, as forensic evidence may be needed. Contact your MSP or security provider immediately. Do not attempt to negotiate with the attackers yourself.
If you make a payment (which we do not recommend), you are legally required to report it to the ASD within 72 hours. You should also report the incident to the ACSC through ReportCyber regardless of whether you pay.
We include incident response and remediation as part of our managed security services. For our clients, the first call is to our service desk and our response team takes it from there.
We deliver ransomware protection as part of our managed security platform — not as a standalone product. That means EDR on every endpoint, 24/7 SOC monitoring, enforced MFA, automated patching, immutable backups with tested restoration, and security awareness training for your staff. All mapped to the Essential Eight framework and included in your monthly service fee.
If you do not know what would happen to your business if ransomware hit tomorrow, talk to us. We will assess your current posture and show you exactly where the gaps are. 1300 EPIC IT.
Paying a ransom is not illegal under current Australian law. However, since 30 May 2025, businesses with turnover exceeding $3 million must report any ransomware payment to the ASD within 72 hours. The ASD does not recommend paying because it does not guarantee data recovery and it funds criminal activity.
Some policies cover ransom payments, but coverage is becoming more restrictive. Insurers increasingly require evidence of proactive security measures — MFA enforcement, EDR deployment, regular patching, and backup testing — before they will pay out on a ransomware claim. If you cannot demonstrate these controls, your claim may be denied.
Recovery time depends on the severity of the attack and the quality of your backups. With tested, immutable backups and a documented incident response plan, most businesses can restore critical systems within hours to days. Without backups, recovery can take weeks or months — and some data may be permanently lost.
The Essential Eight is the ACSC’s recommended set of eight cyber security mitigation strategies. All eight contribute directly to ransomware prevention, detection, or recovery. It is the baseline framework for Australian businesses serious about cyber security and is increasingly required for government contracts and insurance compliance.
]]>
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
