But Australia’s full ransomware bill remains a secret despite estimates putting it at more than $2.5 billion, as a proposed law to reveal ransom payments has stalled in the House of Representatives.

Cybersecurity experts are calling for “urgent” action to reinstate the proposal and warn the threat will worsen until the government “addresses the legality of ransom payments”.

Ransomware attacks have skyrocketed in Australia over the past year, with high profile targets including Nine Entertainment, the Australian arm of JBS Foods, UnitingCare and Eastern Health hospitals, and Regis aged care facilities.

Palo Alto Networks regional chief security officer Sean Duca said as well as the number of ransomware attacks rising, the average ransom demand has jumped by 518 per cent, to $5.3 million.

But the true cost of ransomware in Australia was still unclear, he said, because infected businesses were not required to report whether they paid their attackers.

“Reporting is absolutely a key thing we should be looking at,” he said. “It will help us understand how big the problem really is.”

The Ransomware Payments Bill, proposed by Shadow Cyber Security Minister Tim Watts last month, would see businesses forced to report ransom payments and information about attacks to the Australian Cyber Security Centre.

Small businesses with a turnover of less than $10 million would be excluded from the scheme.

The ransomware proposal has yet to be tabled in parliament and appears to have stalled.

But Home Affairs Minister Karen Andrews said the Government was “deeply concerned about the escalating spate of ransomware attacks” and had not ruled out mandatory reporting for ransomware attacks and payments.

“There is no single response which is a silver bullet in the fight against ransomware,” she said.

“The Government continues to consider a range of options to combat the threat of ransomware attacks.”

It’s understood Ms Andrews convened a ransomware roundtable between industry representatives and law enforcement agencies last Friday, which included talks about the possibility of introducing ransomware reporting.

Currently, the proposed Critical Infrastructure Bill would only see large government agencies and service providers forced to report cyber attacks within 12 hours if it had a “significant impact” on operations, and within 72 hours if an attack could impact services.

But Shadow Home Affairs Minister Kristina Keneally said there was an urgent need for ransom payments to be recorded in Australia and “that urgency grows every day”.

“Ransomware costs the nation more than $2.5 billion dollars annually and is a major threat to jobs and investment,” Ms Keneally aid.

“A mandatory notification scheme would be a policy foundation for a co-ordinated government response. It’s been endorsed by international experts as well as Michael Pezzullo, Minister Andrews’ own department secretary.”

Avast cybersecurity expert Stephen Kho said recording ransom payments could also help law enforcement agencies track the criminals, as well as discouraging them from targeting Australian firms.

“Currently a lot of businesses who get ransomware and end up paying tend not to disclose this information due to negative publicity, possible reputational damage,” Mr Kho said.

“But by not having this information it hinders us from finding out who is being attacked, who the attackers are, what ransomware is being used, and it makes a lot more difficult for the police agencies to track this. With this, you could have better tracking.”

More Coverage

PM concedes vaccine rollout is a race; NSW records four deaths

Maria Bervanakis, Courtney Gold, Shoba Rao, Zoe Smith, David Aidone, Tiffany Bakker

The one thing you should be checking on your iPhone

Jennifer Dudley-Nicholson