Australia becomes first country to force disclosure of ransomware payments

TL;DR: Canberra authorities are embracing a tough approach to ransomware threats. A new law will require certain organizations to disclose when and how much they have paid to cybercriminals following a data breach. However, experts remain unconvinced that this is the most effective way to tackle the problem.

Companies operating in Australia must now report any payments made to cybercriminals after experiencing a ransomware incident. Government officials hope the new mandate will help them gain a deeper understanding of the issue, as many enterprises continue to pay ransoms whenever they fall victim to file-encrypting malware.

Originally proposed last year, the law applies only to companies with an annual turnover exceeding $1.93 million. This threshold targets the top 6.5 percent of Australia’s registered businesses – representing roughly half of the country’s total economic output.

Under the new law, affected companies must report ransomware incidents to the Australian Signals Directorate (ASD). Failure to properly disclose an attack will result in fines under the country’s civil penalty system.

Authorities are allegedly planning to follow a two-stage approach, initially prioritizing major violations while fostering a “constructive” dialogue with victims.

Starting next year, regulators will adopt a much stricter stance toward noncompliant organizations. The Australian government has implemented this mandatory reporting requirement after concluding that voluntary disclosures were insufficient. In 2024, officials noted that ransomware and cyber extortion incidents were vastly underreported, with only one in five victims coming forward.

Ransomware remains a highly complex and growing phenomenon, with attacks reaching record levels despite increased law enforcement actions against notorious cyber gangs. Although several governments have proposed similar regulations, Australia is the first country to formally enact such a law.

Jeff Wichman, director of incident response at cybersecurity firm Semperis, cautions that mandatory reporting is a double-edged sword. While the government may gain valuable data and insights into attacker profiles, the law may not reduce the frequency of attacks.

Instead, it could serve mainly to publicly shame breached organizations – while cybercriminals continue to profit. A recent Semperis study found that over 70 percent of 1,000 ransomware-hit companies opted to pay the ransom and hope for the best.

“Some companies, they just want to pay it and get things done, to get their data off the dark web. Others, it’s a delayed response perspective, they want negotiations to happen with the attacker while they figure out what happened,” Wichman explained.

According to the study, 60 percent of victims who paid received functional decryption keys and successfully recovered their data. However, in 40 percent of cases, the provided keys were corrupted or ineffective.

Keep your entertainment at your fingertips with the Amazon Fire TV Stick 4K! Enjoy streaming in 4K Ultra HD with access to top services like Netflix, Prime Video, Disney+, and more. With an easy-to-use interface and voice remote, it’s the ultimate streaming device, now at only $21.99 — that’s 56% off!

With a 4.7/5-star rating from 43,582 reviews and 10K+ bought in the past month, it’s a top choice for home entertainment! Buy Now for $21.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!