A hard-line turn toward ransomware transparency
Australia has taken a decisive step by mandating that certain organizations disclose any ransomware payments after a breach. The policy aims to build a clearer picture of how often victims pay and how much criminals collect. Officials argue that better data will sharpen national defenses and guide policy responses. Yet many experts warn the approach could be a double‑edged sword with complex trade‑offs.
Who must report, and to whom?
The rule applies to companies with annual turnover above USD 1.93 million, targeting roughly the top 6.5% of registered businesses. Those firms account for about half of Australia’s total economic output. Under the law, affected organizations must report incidents to the Australian Signals Directorate (ASD) and disclose any payments made. Failure to comply can trigger civil penalties under the country’s existing enforcement system. Authorities plan a two‑stage rollout, prioritizing major breaches while maintaining “constructive” dialogue with victims.
From voluntary to mandatory
Regulators concluded that voluntary disclosures were insufficient, with ransomware and cyber extortion underreported in 2024. Only about one in five victims came forward, limiting the government’s visibility into the threat. Starting next year, officials promise a stricter stance on noncompliance to strengthen accountability. The shift is designed to transform opaque incidents into a coherent national dataset that can inform strategy.
Will disclosure deter attacks?
Ransomware remains a complex and rapidly evolving phenomenon, with attacks hitting record levels despite high‑profile law‑enforcement actions. Several governments have floated similar rules, but Australia is the first to enact them nationwide. The open question is whether mandated reporting will deter attackers or simply surface more incidents. Some fear the policy could encourage public shaming of victims rather than materially reducing harm.
Jeff Wichman, director of incident response at Semperis, cautions that the requirement may have ambivalent effects. It could yield valuable insights into attack patterns while failing to reduce overall volume. As he noted, many companies still face agonizing trade‑offs once operations are disrupted:
“Some companies just want to pay it and get things over with, to pull their data off the dark web. Others take a slower response, seeking negotiations while they figure out what happened,” said Jeff Wichman, Semperis.
What recent data says about paying
A recent Semperis study found that over 70% of 1,000 ransomware‑struck companies opted to pay the ransom. The finding underscores how pressure on operations, customers, and revenue can push leaders toward payment despite the risks. Outcomes were far from assured: about 60% of paying victims received functional decryptors and recovered their data, while 40% got corrupted or ineffective keys. Those figures show that payment is a gamble, not a guaranteed remedy.
Immediate implications for organizations
The new rule raises practical questions for boards, executives, and security teams. Companies in scope must prepare for rapid reporting, careful documentation, and tighter governance around ransom‑related decisions. Beyond compliance, they should harden resilience and reduce the likelihood that payment becomes the only option.
Key actions to consider:
- Build a clear, preapproved ransomware playbook that integrates legal, security, and executive roles.
- Establish reporting workflows to the ASD with defined timelines and evidence requirements.
- Validate immutable, offline, and frequently tested backups to enable fast restoration.
- Strengthen identity and access controls, including MFA, privileged access, and directory hardening.
- Conduct frequent tabletop exercises to pressure‑test decisions, communications, and escalations.
- Align with insurers and external counsel on negotiation, forensics, and disclosure thresholds.
Balancing transparency, stigma, and deterrence
Mandated reporting promises transparency, but it can also amplify reputational risk. Public disclosure may help build collective defense, yet it can fuel short‑term stigma for victims still trying to restore operations. Policymakers must ensure that shared intelligence returns concrete value—faster takedowns, improved attribution, and stronger sector‑specific guidance—so that companies see a clear benefit to reporting.
The road ahead
Australia’s move could reshape global norms on ransomware reporting, influencing how other jurisdictions act. Success will hinge on consistent enforcement, robust privacy and data‑handling safeguards, and timely feedback to reporting victims. If the resulting data improves collective readiness, the policy could shift the economics of extortion. If not, attackers may continue to adapt, and victims will still face the same painful choices—only now under a brighter spotlight.
