If you’re a business owner, work for a critical infrastructure entity, or are employed at a government department or agency that has fallen victim to a ransomware attack and has paid the ransom, you’re required to report to the Australian authorities.
Organizations with an annual turnover of A$3 million or more will be required to report any ransom payments for ransomware attacks or cyber extortion to the Australian Signals Directorate (ASD) within 72 hours of the payment. The same goes for organizations involved in critical infrastructure.
The report has to include details like business and contact information, but also all known facts of the cybersecurity incident, including details on when the incident came to light, what vulnerabilities were exploited, the variant of ransomware or other malware that was used, who is responsible for the incident, what amount of ransom was paid, either by the business itself or third-party intermediate, and all communications with the threat actor.
There is no mandatory reporting obligation where there is no ransomware or cyber extortion payment. For example, if there is only a demand, but a victim organization chooses not to pay, there is no obligation to report the incident.
The ASD stresses that whether a cybersecurity incident originated overseas or impacts overseas entities does not change the reporting obligation.
“Where a reporting business entity is impacted (directly or indirectly) by an incident, receives a demand, and then elects to make a payment, they are required to submit a report,” the ASD says in a Frequently Asked Questions (FAQ) document.
The mandatory payment reporting started Friday, May 30th. In the initial phase, from now until the end of 2025, the focus will be on raising awareness and encouraging compliance, rather than immediate enforcement. Financial penalties for non-compliance will be A$19,800 if companies don’t submit a ransomware payment report within 72 hours.
Australia is the first country to introduce mandatory ransomware and cyber extortion payment reporting. This shouldn’t come as a surprise, since state-sponsored cyber actors persistently attacked Australian government entities, vital infrastructure, and businesses last year.
“These actors conduct cyber operations in pursuit of state goals, including for espionage, in exerting malign influence, interference and coercion, and in seeking to pre-position on networks for disruptive cyberattacks,” the ASD said in its annual cyber threat report.
Your email address will not be published. Required fields are markedmarked