Australian business leaders are fighting back against cyber criminals, with ransom payments nearly halving from $1.35 million.
What’s happening: Average ransom payments have nearly halved to $711,000, down from $1.35 million, as organisations strengthen cyber resilience and adopt formal response protocols.
Why this matters: Whilst preparedness is improving, one in five organisations experience multiple attacks regardless of payment, highlighting the critical need for proactive defence strategies over ransom negotiations.
Australian businesses are refusing to pay cyber criminals at unprecedented rates, with new research revealing a dramatic shift in how organisations respond to ransomware attacks.
McGrathNicol’s annual ransomware survey found 64% of Australian business leaders who suffered attacks in the past five years chose to pay ransom demands, a significant decline from 84% in 2024. The average payment has nearly halved to $711,000, down from a high of $1.35 million last year.
The findings emerge from a survey of over 800 decision makers across Australian businesses with 50 or more employees, conducted in partnership with YouGov. The research reveals 69% of business leaders have experienced ransomware attacks in the past five years, with sophisticated global criminal groups continuing to target local organisations.
SMEs remain vulnerable
Darren Hopkins, Head of Cyber at McGrathNicol, said small to medium enterprises remain particularly vulnerable. “SMEs continue to bear the brunt of ransomware attacks. Without dedicated resources and cyber teams, many SMEs are vulnerable to being seen as ‘soft targets’ by cyber criminals, and we are working closely with our clients, industry partners and government to share threat intelligence and respond effectively.”
The data starkly illustrates this vulnerability: 89% of organisations experiencing ransomware attacks in the past 12 months were SMEs.
Hopkins emphasised that paying ransom demands offers no guarantee of resolution. “Paying a ransom does not guarantee data recovery nor does it prevent future attacks. We know that one in five respondents have experienced multiple ransomware attacks regardless of payment.”
Why payment rates are falling
The survey identifies three critical factors driving the decline in payments: insurance coverage amounts continue to decrease, regulatory and reputational pressure is increasing, and growing scepticism surrounds ransom payments as the default recovery option. Higher preparedness levels and increased executive engagement are also contributing to the trend.
The estimated amount businesses would be willing to pay has also decreased substantially to $906,000, down from $1.42 million.
Brendan Payne, Cyber Partner at McGrathNicol, said organisations are shifting toward proactive strategies.
“With more than half of respondents who were attacked and breached saying the attack had a severe or significant impact on their supply chain, it’s good to see business leaders acting to safeguard their people, partners, customers and critical assets. We are seeing a shift towards more proactive resilience and recovery.”
Preparedness improves
The research shows organisations are adopting formal defence measures, with more implementing board notification protocols, crisis planning, and incident response plans. Almost one third of respondents reported their business successfully defended against an attack.
“Year-on-year, we have also seen more organisations adopt formal board notification protocols, crisis planning and incident response plans. Our research supports this. Almost a third of respondents say their business was able to successfully defend against an attack,” Payne said.
The reputational stakes remain high, with 92% of respondents stating that knowledge of a ransom payment would negatively impact their perception of partners and suppliers they conduct business with.
Mandatory reporting gains support
Mandatory reporting under the Cyber Security Act 2024, effective from May 2025, continues to receive strong support from 71% of Australian business leaders. Those who experienced attacks in the past five years show even higher support at 76%, compared to 61% among those without recent attack experience.
Hopkins said organisations that have faced attacks firsthand recognise the value of information sharing, with the reporting framework designed to promote greater visibility, transparency, and industry collaboration.
“At the larger end of town, those in businesses earning $10 million plus are more likely to say they are ‘very prepared’ for a ransomware attack, but we urge executives not to become complacent,” Hopkins said.
“You can’t trust cyber criminals but you can minimise long-term damage to your business through investment in prevention, detection and strong incident response capabilities.”
The survey data shows a consistent pattern across recent years, with average ransom payments sitting at $1.03 million in 2023, $1.01 million in 2022, and $1.07 million in 2021, before peaking at $1.35 million in 2024.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
