Australian businesses are increasingly capitulating to cybercriminals, with ransomware payments hitting record levels and more organizations willing to pay, according to an alarming new report from McGrathNicol.

The 2024 survey of over 500 Australian business leaders reveals that ransomware attacks have become dangerously normalized, with average payments soaring to $1.35 million - a stark increase from $1.03 million in 2023. Even more concerning, 84% of affected businesses chose to pay ransoms, up significantly from 73% the previous year.

"The first 48 hours are critical," said one of the report's key findings, with three-quarters of businesses making ransom payments within this timeframe. The impact extends far beyond IT departments, with over half of respondents reporting severe disruptions to their finance operations, and similar numbers citing major impacts on human resources (50%), sales (57%), and supply chain operations (57%).

Ransomware attacks accounted for 11% of all cyber incidents responded to by the Australioan Signals Directorate (ASD) in 2023-2024, (up from 8% in the previous year) and 71% of all extortion-related cyber security incidents.

The McGrathNicol survey exposed concerning trends in how ransoms are demanded and paid. Nearly three-quarters (73%) of attackers demanded cryptocurrency payments, with Bitcoin being the preferred method in 49% of cases. The notorious LockBit ransomware group was identified as the most active threat actor, responsible for 17% of attacks.

Despite the rising threat, businesses are taking steps to protect themselves. The report found that 91% of organizations now carry ransomware insurance, with average coverage of $1.47 million. Additionally, 80% have incident response plans in place, up from 61% in 2023.

However, the report also highlighted a significant shift in attitudes toward reporting such attacks. An overwhelming 79% of respondents now believe reporting ransomware attacks to authorities should be mandatory, a substantial increase from 60% in 2023.

This comes as the Australian government implements new legislation requiring organizations with turnover exceeding $3 million to report ransomware payments to the Australian Signals Directorate.

According to law firm Corrs, under the newly legislated Cyber Security Act 2024, “This obligation will commence, at latest six months after the Cyber Security Act receives royal assent, or such earlier date set by proclamation.

“Ransomware reports are to be made within 72 hours of payment and a failure to comply will result in a civil penalty of 60 penalty units (currently $93,900).”

The reputational impact of paying ransoms remains severe, with 88% of respondents stating their view of a company would be negatively affected upon learning of a ransom payment. Despite this, only one in ten businesses say they would refuse to pay under any circumstances, down from 18% in 2023.

The findings suggest smaller and newer businesses are particularly vulnerable. Companies less than 10 years old were significantly more likely to experience attacks (84%) compared to those over 20 years old (45%). Additionally, businesses with fewer than 1,000 employees reported higher rates of successful breaches compared to larger organizations.

These findings come amid a broader surge in cyber threats, with 44% of businesses reporting malware attacks and 39% experiencing business email compromise attacks in the past 12 months.

The full report is available HERE