The cost and frequency of Australian ransomware attacks has continued to soar with advocacy and growth champion Australian Cyber Network (ACN) reporting more than two thirds of domestic organisations have experienced an attack.
Of the 69 per cent of businesses hit by ransomware in the past five years, the ACN observed a staggering 84 per cent opted to pay the ransom.
The ACN’s inaugural State of the Industry 2024 report – which drew on 30 unique datasets – further saw the average ransom payment climb to $1.35 million, up from $1.03 million in 2023.
Matt Wilcox, founder and chief executive of Australian cybersecurity firm Fifth Domain, told Information Age that although some Australian businesses are acknowledging their vulnerability to ransom attacks, many are “still playing catch-up”.
“The ACN report makes this clear: 69 per cent of Australian businesses experienced a ransomware attack [as of 2024], up from 56 per cent in the previous year,” said Wilcox.
“That’s proof that what we’re doing now isn’t working.”
Wilcox noted that while many organisations adopt security tools and alerts, they often lack the “lived capability to respond under pressure” and “still haven’t run proper simulations”.
“There’s a huge difference between saying ‘we’re prepared’ and actually knowing how your people will perform in a live crisis.”
Businesses conversely saw a welcome 18 per cent dip in average self-reported cybercrime costs (accounting for both ransomware and other attack vectors such as email compromise and online banking fraud), though Wilcox said this “doesn’t mean things are improving”.
“Some incidents aren’t being reported, or they’re being absorbed quietly by internal teams,” said Wilcox.
“There’s also a lot of variation between organisations.
“Big businesses may have more tools and automation, which can cut the costs of common attacks, but that doesn’t mean the risk is down.
“It just means that the attacks that do get through hit harder, are more targeted, and take longer to clean up.”
Small businesses meanwhile suffered an eight per cent increase in average reported cybercrime costs at $49,600 per report, while individuals reporting cybercrime such as identity or online shipping fraud saw an average cost increase of 17 per cent at $30,700 per report.
In November 2024, the Government passed landmark mandatory ransomware reporting requirements which are set to improve government collaboration and visibility over domestic ransom costs.
Hackers pile on Australian critical infrastructure
The report also saw Australia emerge as one of the “top five most targeted nations” for cyber threats against critical infrastructure, ranking fourth globally behind the United States, Sweden and Germany.
“A significant uptick in cyber intrusion attempts targeting critical infrastructure sectors has been observed,” read the report.
Wilcox noted Australia is indeed a “high-value target” for cybercriminals, with the same threat actors repeatedly turning to Australian critical infrastructure.
“Often, they’re state-aligned or part of organised cybercrime groups,” said Wilcox.
“If they find a weakness, they’ll exploit it again or pass it on.”
He added Australian systems are appealing because they’re seen as “soft targets in a geopolitically relevant country”.
“Threat actors know disruption here can ripple outward,” he said.
Following recent attacks at critical infrastructure organisations such as Western Sydney University and AustralianSuper, Wilcox further observed a “disparity” in security precautions between sectors.
“Some sectors are well regulated and well resourced – think finance or health,” said Wilcox.
“But others, like regional universities or smaller utilities, just don’t have the funding, skills, or time.
“The opportunity here is in ‘collective defence’.
“You can create shared services, run joint simulations, or build regional response hubs.
“But right now, most of the [critical infrastructure] sectors are still working in silos.”
Cyber 'under-prioritised' despite $10 billion GVA
Although cybercrime drove extensive costs for Australian businesses, the ACN reports the cybersecurity sector contributed an estimated $9.99 billion to Australia’s gross value added (GVA).
The sector further attracted $348 million in investment for 2024, while 137,453 people were employed in the Australian cybersecurity workforce (an increase of 9.27 per cent from the year prior).
The report also claims an explosive growth in female-identifying cybersecurity workers, increasing from eight per cent in 2021 to 25 per cent in 2024.
ACN co-founder Jason Murrell meanwhile called for government action to match the needs of the industry.
“The numbers show an industry punching above its weight, especially considering how underfunded, under-coordinated and under-prioritised it remains at a national level,” said Murrell.
“We support the government’s Cyber Security Strategy, but the threat is outpacing the implementation.
“This is not just an industry issue – it’s a national security issue that demands national leadership.”
ACN noted despite recent attacks impacting universities, superannuation, NSW courts, and IVF provider Genea, cybersecurity has been absent from national policy debates during the federal election cycle.
“This silence is a risk in itself,” said Murrell.
“Cyber is a strategic domain. It affects trust in government, the safety of citizens and the viability of supply chains.
“We have got the strategy, now we need the urgency, action and visible political priority.”
