The ransomware economy continues to thrive. In 2025, Australian businesses face an uncomfortable truth: it's not a question of *if* you'll be targeted, but *when*. And when that moment arrives, the decision to pay—or refuse—rarely fits into a neat ethical box.
This article isn't about moralising. It's about preparation, options, and building resilience so that payment becomes one choice among many—not your only lifeline.
The Ransomware Reality Check
Let's start with the numbers that matter:
- ▸59% of Australian organisations experienced a ransomware attack in 2024 (Sophos State of Ransomware)
- ▸Average ransom demand: $2.3 million AUD for mid-sized businesses
- ▸Average recovery cost (without paying): $1.8 million AUD
- ▸Average recovery cost (after paying): $2.6 million AUD
Here's the uncomfortable truth the ransomware gangs don't advertise: paying doesn't guarantee recovery, and it rarely reduces total incident costs.
Why Payment Fails
Decryption tools are buggy. Criminals aren't known for quality assurance. Many victims who pay find decryption tools that corrupt files or fail entirely on large datasets.
Double extortion is standard. Even if you pay for decryption, attackers often threaten to leak stolen data unless you pay again—or they simply leak it anyway.
You're now a known payer. Organisations that pay frequently find themselves targeted again within 12-18 months, sometimes by the same group using different infrastructure.
Before the Incident: Building Options
The organisations that weather ransomware best aren't those with the biggest security budgets—they're the ones with the most *options* when crisis hits.
The Immutable Backup Strategy
Immutable backups are your strongest negotiating position. When you can restore operations without the attacker's help, the ransom demand becomes optional.
Key requirements:
- ▸Air-gapped or cloud-immutable storage with write-once-read-many (WORM) protection
- ▸Regular restoration testing—backups you can't restore are just expensive false hope
- ▸Offline credential storage for backup systems, isolated from production Active Directory
- ▸Recovery time objectives (RTO) documented and tested quarterly
Reality check: If your backup admin accounts live in the same Active Directory as your production systems, your backups aren't truly protected.
Cyber Insurance: Read the Fine Print
Cyber insurance can be a lifeline—or a disappointment. Before an incident:
- ▸Confirm ransomware coverage limits and whether they include both ransom payments and business interruption
- ▸Understand notification requirements—most policies require immediate notification, sometimes within 24 hours
- ▸Check approved vendor lists—insurers often mandate specific incident response firms and forensic investigators
- ▸Review exclusion clauses carefully; some policies exclude attacks attributed to nation-state actors or those exploiting unpatched vulnerabilities
Critical: Many insurers now require evidence of basic security controls (MFA, backups, patching) before paying claims. Document your compliance.
Incident Response Retainers
Having a trusted incident response firm on speed dial beats scrambling to find one during a crisis. Retainers typically include:
- ▸Guaranteed response times (often 1-4 hours)
- ▸Pre-negotiated rates
- ▸Familiarity with your environment
- ▸Established relationships with law enforcement and regulators
During the Incident: The First 72 Hours
When ransomware hits, the decisions you make in the first three days determine your recovery trajectory.
Hour 0-4: Containment
Activate your incident response plan immediately. This isn't the time for improvisation.
- ▸Isolate affected systems—disconnect, don't just power off (preserves forensic evidence)
- ▸Preserve logs, especially from SIEM, firewalls, and authentication systems
- ▸Engage your incident response team and legal counsel
- ▸Notify cyber insurance if coverage applies
- ▸Document everything for potential law enforcement involvement
Don't: Delete logs, wipe systems, or communicate with attackers until you've established your position.
Hour 4-24: Assessment
Understand what you're dealing with:
- ▸Identify the ransomware variant—some have free decryptors (check NoMoreRansom.org)
- ▸Determine scope of data exfiltration—attackers often steal data before encryption
- ▸Assess backup integrity—test restoration on isolated systems before committing
- ▸Calculate business impact—which systems are critical, what's the daily cost of downtime
This assessment informs your negotiation position—or your decision not to negotiate at all.
Day 2-3: Decision Point
- ▸Whether your backups are viable
- ▸What data was stolen
- ▸Your regulatory notification obligations
- ▸The attacker's reputation (some groups reliably provide decryptors; others don't)
If you have viable backups: The decision becomes easier. Recovery takes time, but you're not dependent on criminals.
If backups are compromised: This is where negotiation expertise matters.
The Negotiation Reality
Ransomware negotiation is a specialised skill. Most organisations shouldn't attempt it alone.
What Professional Negotiators Do
- ▸Verify the attacker's capabilities—can they actually decrypt your files?
- ▸Establish communication channels—often through anonymous email or Tor chat
- ▸Negotiate payment terms—cryptocurrency type, wallet verification, proof of decryptor
- ▸Reduce ransom demands—typically 40-70% reductions are achievable
- ▸Coordinate payment logistics—cryptocurrency acquisition, transaction timing
- ▸Verify decryptor functionality—test on sample files before full payment
When Negotiation Makes Sense
- ▸Backups are insufficient or would take weeks to restore
- ▸Critical systems are encrypted with no alternative
- ▸The attacker has a reputation for honouring decryptor provision
- ▸Business continuity costs exceed negotiated ransom plus recovery
When to Walk Away
- ▸Free decryptors exist for the ransomware variant
- ▸Backups are viable and tested
- ▸The attacker has no reputation or is known for non-delivery
- ▸Data exfiltration creates greater liability than encryption
- ▸Payment would violate sanctions (OFAC, AUSTRAC)
Legal and Regulatory Considerations
Australian organisations face specific obligations during ransomware incidents:
Mandatory Reporting
- ▸Notifiable Data Breaches (NDB) scheme: If personal information is accessed or disclosed, you have 30 days to assess and notify affected individuals and the OAIC
- ▸Critical Infrastructure Act: Operators of critical infrastructure must report ransomware incidents within 12-24 hours
- ▸ASIC requirements: Listed entities may have continuous disclosure obligations
Payment Legality
Paying ransoms isn't illegal in Australia—but it's increasingly restricted:
- ▸Sanctions compliance: Check OFAC and DFAT sanctions lists; paying sanctioned entities is a criminal offence
- ▸AUSTRAC reporting: Large cryptocurrency transactions may trigger anti-money laundering reporting
- ▸Tax treatment: Ransom payments are generally not tax-deductible in Australia
Always involve legal counsel before making payment decisions.
Recovery: Beyond Decryption
Whether you pay or restore from backup, recovery is just beginning.
Technical Recovery
- ▸Rebuild, don't just decrypt—assume persistent access and rebuild systems from known-good images
- ▸Reset all credentials—attackers often harvest credentials before encryption
- ▸Patch vulnerabilities—the entry point that allowed ransomware must be closed
- ▸Enhance monitoring—attackers sometimes return using backdoors or stolen credentials
Business Recovery
- ▸Customer and stakeholder communication—transparency builds trust, even in crisis
- ▸Regulatory compliance—complete required notifications and documentation
- ▸Operational review—identify why existing controls failed
- ▸Insurance claims—document all costs for potential recovery
Building Resilience: The Long Game
The organisations that survive ransomware best treat each incident as a learning opportunity—and invest in making the next one less damaging.
Zero Trust Architecture
- ▸Micro-segmentation to limit lateral movement
- ▸Just-in-time privileged access
- ▸Continuous verification of users and devices
Detection and Response
Ransomware doesn't appear overnight. Attackers typically spend days or weeks in environments before encryption:
- ▸EDR on all endpoints—behavioural detection catches pre-encryption activity
- ▸24/7 SOC capability—internal or outsourced, but continuous
- ▸Threat hunting—proactive searches for indicators of compromise
Business Continuity Planning
- ▸Tabletop exercises quarterly, including ransomware scenarios
- ▸Alternative workflows for critical processes that don't depend on primary systems
- ▸Communication plans pre-drafted for customers, staff, and media
The Bottom Line
Ransomware is a business problem, not just a technical one. The binary pay-or-don't-pay debate misses the point: the best organisations have built enough resilience that payment becomes optional.
Your goal isn't to make ransomware impossible—it's to make it survivable. That means immutable backups, tested recovery procedures, cyber insurance that actually pays out, and incident response capabilities that activate before panic sets in.
The ransom note isn't when you start preparing. It's when you find out if your preparation worked.
---
Need help building ransomware resilience? Cloudscape IT helps Australian businesses develop incident response capabilities, immutable backup strategies, and security architectures that make ransomware a recoverable event—not a business-ending crisis. Contact us for a ransomware readiness assessment.
