“What’s clear is that traditional approaches to cybersecurity are no longer working, and current guidance isn’t cutting through,” said James Eagleton, Cohesity’s managing director for Australia and New Zealand. “Despite government advice against paying ransoms, businesses are making the calculation that it’s easier to pay than to deal with the disruption.”
A $10.5 trillion criminal economy
Cohesity managing director James Eagleton.Credit:
That calculation is precisely what cybercriminals are banking on. Ransomware has evolved into a highly structured global economy that the World Economic Forum projects will cost $US10.5 trillion in 2025 – making it effectively one of the world’s largest economies.
“The economic logic of ransomware is clear: extract maximum payment at the lowest possible cost,” said Craig Searle, director of cyber advisory at Trustwave.
“Australia is particularly exposed to this model due to its relative wealth, high internet penetration, and rapid digital adoption.”
Modern ransomware operates through Ransomware-as-a-Service (RaaS), where affiliates purchase toolkits complete with dashboards and customer support, mirroring legitimate software businesses. Double and triple extortion techniques add revenue streams by threatening to leak stolen data or target supply chains, maximising returns from each compromise.
“Australia remains an enduring target for ransomware and extortion activity, most exemplified by high-profile ransomware attacks in recent years,” said Davyn Baumann, senior intelligence analyst at Google Cloud Security’s Threat Intelligence Group.
“The 2302 global victims listed on data leak sites in Q1 2025 represented the highest single quarter count observed since we began tracking these sites in 2020, confirming the maturity of the cyber extortion ecosystem.”
The Cohesity research found 85 per cent of Australian enterprise businesses suffered a materially impactful cyberattack in the past year, far higher than the 54 per cent global average. Nearly half – 41 per cent – were hit multiple times, compared with just 26 per cent internationally.
Ransomware has evolved into a highly structured global economy that the World Economic Forum projects will cost $US10.5 trillion in 2025, making it effectively one of the world’s largest economies.Credit: Getty
And against government advice, almost every impacted business (96 per cent) has paid the ransom, which may explain why more Australian companies are now repeat victims. Of those who paid, 41 per cent handed over more than $US1 million ($1.53 million), with another 41 per cent paying between $153,000 and $1.53 million.
Why paying doesn’t work
While paying ransomware is not illegal under Australian law – consistent with most countries globally – the government strongly discourages it. “[Paying] does not guarantee the recovery of data, prevent its publication or sale, or protect against future attacks,” a Home Affairs spokesperson said.
The financial toll extends well beyond ransom payments. Nine in ten Australian businesses reported revenue losses from cyberattacks, with nearly a third saying those losses reached 10 per cent of annual revenue. Almost all organisations (99 per cent) faced legal or regulatory consequences, with 61 per cent receiving fines or penalties – the highest rate globally. Some 76 per cent of private organisations felt pressure from directors to dismiss senior leaders following attacks.
“From financial loss and leadership pressure to eroding customer trust, consequences are no longer confined to the IT departments,” Eagleton said.
Security experts warn paying ransoms rarely delivers what victims hope for. Less than half of ransom payers successfully recover their data, with much of it corrupted.
“In effect, every payment strengthens the broader ecosystem, incentivising further attacks,” Searle said. “Understanding ransomware as an economic system, rather than a technical nuisance, is essential for modern businesses.”
There have been calls for the federal government to outright ban ransom payments, but Eagleton pushed back against that idea.
“Obviously, situations differ case by case,” he said. “A strong investment in the ability to respond and recover [is key].”
Security experts warn paying ransoms rarely delivers what victims hope for. Less than half of ransom payers successfully recover their data, with much of it corrupted.
“We find ourselves paying more ransoms … and that, in turn, is attracting more bad actors … We need to break out of that cycle, and certainly reducing the ransom paid is going to help.”
Loading
From May 30 this year, Australia became the first country to mandate ransomware payment reporting, requiring businesses with over $3 million turnover to notify the Australian Signals Directorate within 72 hours. The scheme includes a six-month education phase before enforcement ramps up in 2026.
But the legislation doesn’t require government to release the data publicly – a missed opportunity, according to Jocelinn Kang, a resident technical fellow at the Australian Strategic Policy Institute.
“The ransomware problem is too big for the government to solve alone,” Kang said. “Public reporting of the information, with identities removed, would help the broader cybersecurity ecosystem to direct resources where they’re needed most.”
A Home Affairs spokesperson acknowledged that “ransomware attacks remain significantly underreported and the Australian Government does not have reliable data on the ransomware and cyber extortion threat environment. Poor visibility impacts incident response and harms mitigation efforts.”
Kang argues that keeping the data siloed within government agencies squanders its potential value. Cybersecurity firms, managed service providers and researchers, all play crucial roles in defending against ransomware, but can only do so effectively with access to threat intelligence.
“Ransomware is not just a government problem; it is also a commercial, legal, insurance, technological and social one,” she said.
For now, Qantas’ decision to refuse payment makes it an outlier in an Australian corporate landscape that has, perhaps inadvertently, signalled to criminals that Australia is open for business.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter. Sign up here.
