Australia’s New Ransomware Reporting Law Takes Effect: What Your Business Needs to Know

As of 30 May 2025, Australia’s Cyber Security (Ransomware Payment Reporting) Rules 2025 are officially in force. This new legal requirement, introduced under Part 3 of the Cyber Security Act 2024, mandates that certain businesses must report ransomware and cyber extortion payments to the federal government within 72 hours of making a payment or becoming aware that one has been made.
This legislation is a key part of Australia’s national cyber strategy to disrupt the ransomware economy, improve threat visibility, and support affected organisations.

Who Must Report?

The law applies to reporting business entities, which include:

Businesses operating in Australia with an annual turnover exceeding AU$3 million
Entities responsible for critical infrastructure assets under the Security of Critical Infrastructure Act 2018.

This threshold was set to ensure broad visibility while avoiding undue burden on small businesses. According to the Australian Bureau of Statistics, over 90% of Australian businesses fall below this threshold and are exempt from the reporting requirement.

The Ransomware Landscape in Australia

Ransomware remains one of the most damaging and costly cyber threats. Recent statistics reveal:

71% of extortion-related cyber incidents handled by the Australian Signals Directorate (ASD) in FY 2023–24 involved ransomware
1 in 5 Australian businesses experienced a ransomware attack in the past two years
32% of affected companies admitted to paying a ransom or cyber extortion demand
The average ransom payment in Australia in 2024 was estimated at AU$250,000, with some exceeding AU$1 million
Cryptocurrency remains the most common payment method, but attackers are increasingly demanding data deletion, insider access, or other non-monetary benefits

These figures highlight the scale of the threat and the importance of coordinated national reporting.

What Must Be Reported?

If your organisation is affected, you must report the incident to the Department of Home Affairs within 72 hours. The report must include:

Date and time of the incident and payment
Nature of the demand (e.g., ransom amount, type of threat)
Payment details (method, amount, recipient)
Impact on business operations
Any communication with the threat actor

The law also covers non-traditional extortion, such as threats to leak stolen data or disrupt services unless a payment is made.

What Happens If You Don’t Report?

Failure to comply with the reporting requirement can result in civil penalties of up to 60 penalty units, currently equivalent to AU$19,800.
However, the Department of Home Affairs has committed to an education-first approach during the initial six-month transition period:

First-time or unintentional non-compliance will typically result in warnings and guidance
Repeat or deliberate non-compliance may lead to enforcement action and financial penalties

What Should Your Business Do Now?

To prepare for compliance and reduce risk:

Update your incident response plan to include ransomware reporting procedures
Train your executive, legal, and IT teams on the new obligations
Establish a clear internal reporting process to ensure incidents are escalated quickly
Engage with cybersecurity and legal advisors to review your readiness
Monitor your environment for signs of ransomware and extortion threats

Source: