In effect from 30 May 2025 | Based on the Cyber Security Act 2024
As cyber threats grow in frequency and sophistication, the Australian government has introduced mandatory reporting obligations for ransomware and cyber extortion payments. These new rules aim to improve national cyber resilience, enable better government response, and reduce the long-term incentive for cybercriminals.
🏢 Who Is Required to Report?
1. Large Australian Businesses
- Any business or entity operating in Australia with an annual turnover exceeding AUD $3 million.
2. Critical Infrastructure Operators
- Entities responsible for assets listed under the Security of Critical Infrastructure Act 2018 (SOCI Act). This includes sectors such as:
- Energy
- Water
- Communications
- Transport
- Healthcare
- Food and grocery
3. Third-Party Payments
- If a ransomware payment is made on your behalf (e.g., by a parent company, insurer, or contractor), you are still obligated to report it once you become aware of the payment.
⏱️ Timeline for Notification
You must notify the government within 72 hours of either:
- Making the payment yourself, or
- Becoming aware that a ransomware or cyber extortion payment has been made on your behalf.
⏳ The 72-hour countdown begins from the point of awareness, not necessarily from the moment of the cyber incident itself.
📄 What Must Be Included in the Report?
Reports are submitted via the Australian Signals Directorate (ASD) on the official cyber.gov.au platform and should contain:
Key Information:
- Overview of the Incident
- Nature of the cyberattack (e.g., data encryption, data theft)
- Timeline of events
- Details of the Ransom Demand
- Communication received from the attacker
- Amount demanded (in AUD or cryptocurrency)
- Payment Information
- Amount paid and method used (e.g., Bitcoin, Monero)
- Date and time of payment
- Who authorized or facilitated the payment
- Impact Assessment
- Systems or data affected
- Business disruption caused
- Potential or confirmed data breaches
- Communications and Negotiations
- Summary of interactions with the threat actor (if any)
📍 How to Report
You must lodge the ransomware payment report through the ASD’s online portal:
🔗 cyber.gov.au/report-and-recover/report
⚖️ Legal and Financial Consequences
Penalties for Failing to Report
- Individuals: Up to 60 penalty units, equivalent to AUD $19,800
- Corporations: Up to 300 penalty units, equivalent to AUD $99,000
Penalties may apply for each instance of non-compliance and could increase if reporting is repeatedly neglected or false information is provided.
🔐 Use and Protection of Submitted Information
The government has built legal safeguards around reported data to encourage transparency and trust:
- Information can be used to support incident response, improve threat intelligence, and inform national security planning.
- It cannot be used to initiate regulatory actions or prosecutions against the reporting entity unless the information reveals unlawful conduct, such as:
- Money laundering
- Payments to sanctioned or terrorist-linked entities
- Agencies involved include the Australian Signals Directorate (ASD), Australian Federal Police (AFP), and relevant regulators under controlled access.
🚫 Ransom Payment Policy: Government Stance
Although paying ransoms is not currently illegal in Australia, the government strongly discourages it for the following reasons:
- No guarantee the attacker will return your data or unlock your systems.
- Payments may fund criminal or terrorist organizations, creating national security risks.
- It can encourage repeat targeting of your organization or sector.
- Payments could potentially violate sanctions laws if the attacker is linked to a proscribed entity.
For guidance on sanctions-related concerns, contact the Australian Sanctions Office at sanctions@dfat.gov.au.
🧰 Tools and Support Available
- 📞 Australian Cyber Security Hotline: 1300 CYBER1 (1300 292 371)
- 📘 Ransomware Playbook – Offers practical steps for responding to ransomware attacks
- 🧾 Sample incident report templates are available from the ASD portal for ease of compliance
