Australian businesses fight back as ransom payments to cyber gangs are almost halved
Australian businesses are now paying less to cyber criminals, but a disturbing new 'professional' ransomware model has emerged in the digital underworld.
Ransom payments to cyber gangs have almost halved in Australia as executives become more willing to negotiate, withhold funds to criminals and invest more in digital defences, according to new data from McGrathNicol.
But this dramatic decline masks a disturbing reality – the global criminal enterprises behind the attacks are more successful than ever, professionalising their operations into a ‘trust-based franchise’ model that relies on a surprising degree of professional integrity to ensure victims keep paying.
This so-called ‘professionalism’ resulted in Qantas being caught in a large-scale attack on Salesforce from notorious criminal group Scattered Spider. The gang has threatened to release the data after Salesforce – whose other clients caught in the shakedown include Disney, Google, Ikea and McDonalds – declared it would “not engage, negotiate with or pay any extortion demand”.
But McGrathNicol head of cyber Darren Hopkins said many businesses were willing to negotiate with criminals – a tactic that effectively “stops the clock” and gives more time to manage an attack’s fallout.
Mr Hopkins said that tactic combined with investing more in cyber security meant the average ransom payment in Australia had fallen to $711,000 this year, down from $1.35m in 2024. The percentage of businesses that choose to pay is also down significantly from 84 to 64 per cent.
“The number of incidents hasn’t dropped, and it’s possibly still on the increase. So it’s not a frequency of how many attacks,” Mr Hopkins said.
“We had stats this year that show that businesses were attacked, (but) just didn’t get breached. That means that they defended against something, they saw it, and they stopped it.
“Resilience on the investment is certainly one of the drivers there.
“Businesses are getting better. They’re spending more, they’re doing more, and we’ve even seen that with our clients.”
The estimated average amount businesses are willing to pay has decreased from $1.42m to $906,000.
More tellingly, only 18 per cent of businesses would be willing to pay $1m or more – down from 34 per cent in 2024.
Mr Hopkins said the cyber insurance market was a critical catalyst in this shift, actively discouraging payments.
Since 2022, average coverage has declined to $1.18m from $1.31m, and insurance now factored into only 31 per cent of payment decisions, down sharply from 52 per cent in 2024. Insurers are changing policy structures to incentivise proactive resilience and recovery over payment-dependent strategies.
But for many small and medium-sized businesses, which accounted for 89 per cent of all attacks in the past year, there is no option but to pay up.
Mr Hopkins recalled one client who had to pay the ransom or face insolvency.
“The threat actors will go for the things they know you need. So it’s all about disaster recovery,” he said.
“Can you recover? If they take out your backups, there is no recovery.
“So you’ve got two choices. You try to rebuild from scratch if you can, and for most businesses that’s impossible. Or you pay them for the key to unlock all the systems and that was the insolvency issue one of our clients actually faced.”
This high-stakes environment has enabled the professionalisation of the threat actors themselves, who operate with a calculated level of “honesty.”
Mr Hopkins said ransomware is run like a “franchise type structure” where an operator provides technology and support to affiliates.
To protect their brand and ensure future victims pay, these groups must keep their word.
“When organisations are paid, they will send you a video of them deleting the data. I’ve seen them sign a certificate to say they’ve done it,” he said.
For sectors like healthcare, the decision-making framework is particularly complex.
Restoring business operations quickly (52 per cent) and minimising harm to stakeholders (43 per cent) are the top payment drivers, underscoring the life-critical nature of their operations when systems are disrupted.
The pressure on executive decision-makers has also been compounded by the mandatory reporting regime under the new Cyber Security Act, which requires businesses to notify the government of any ransom payment, including who was paid and a negotiation transcript.
Mr Hopkins said one CEO who, after making the painful decision to pay, submitted the mandatory report and felt a surprising sense of relief, calling it “confession” and having “penance”.
The decline in payment amounts reflects a fundamental shift toward resilience, driven by better corporate investment and higher levels of preparedness with 32 per cent of respondents reporting their business was able to successfully defend against an attack in the past year.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout