-
Australia becomes the first country to mandate that specific companies reveal all ransomware payments following a breach.
-
Law enforcement agencies noted that all victims of cyber attacks comply with the latest policies, noting that defaulters can trigger civil legal actions.
-
A recent survey found that over 70% of 1,000 individuals who were victims of ransomware said they paid the ransom.
The Australian government has taken a bold step by imposing disclosure requirements on some companies to report settlements where a ransom was paid in response to a data breach. The country’s need policy seeks to establish a clearer view of how often ransomware victims pay and how much cyber criminals receive.
Federal officials believe that more data will enable national defense agencies and guide federal policy responses. However, many professionals argue that this approach could be unpredictable and could involve complex trade-offs.
Certain Organizations Must Report Cyber Attacks
Australia’s latest regulation applies to organizations having an annual turnover of more than USD 1.93 million, and prioritizes roughly the prominent 6.5% of legal entities. It is worth noting that those companies account for nearly half of the nation’s overall economic output.
The rule notes that impacted companies must report the breach incidents to the Australian Signals Directorate (ASD), revealing any payments made. Authorities argue that defaulters will attract civil penalties under the current Australian enforcement system.
It is worth noting that federal authorities have a two-stage rollout process while targeting a significant cyber attack. Authorities plan to do so while sustaining what it calls “constructive dialogue” with data breach victims.
Regulators reported earlier that voluntary reporting wasn’t enough since cyber extortion and ransomware cases were heavily underreported in 2024. Only 20% of cyber attack incidents reached the respective federal agency. As a result, the government only knew about 1 out of 5 attacks.
Thankfully, a helpful new policy prompted the Australian government to enforce more stringent laws and impose stricter penalties for non-compliance, aiming to create stronger accountability. The change transforms vague incidents into clear datasets that help investigators make informed decisions.
Will Disclosure Impede Attacks?
Ransomware attacks remain a complicated and ever-evolving mystery, as recent attacks have registered record-breaking espionage globally. All these have occurred, regardless of high-profile actions from law enforcement agencies.
Many governments have implemented similar regulations, but Australia is the only country with enacted nationwide regulations. In any case, the question is whether the mandated disclosure will actually deter threat actors or just raise the visibility of incidents.
Some argue that the policy could spur the public shaming of data breach victims rather than effectively minimize harm.
Jeff Wichman, director of incident response at Semperis, commented on the latest nationwide development, warning that it can be a double-edged sword with “ambivalent effects.” Wichman noted that while this might offer crucial insights into threat actor patterns, it may fail to minimize overall volume.
In a similar development, Semepris published a study, revealing that more than 70% of 1,000 corporate victims of ransomware attacks agreed to pay the ransomware. The study shows how pressure on customers, business operations, and revenue can force executives towards payments regardless of the risks.
Also, the results were far from assured, as nearly 60% of paying victims obtained useful decryptors and successfully recovered their stolen data. However, 40% of the victims received either ineffective or corrupted keys. Thus, the research found that the ransom payment is a gamble and not a guaranteed solution.
