From 30 May 2025, eligible business entities are obligated to report any ransomware or cyber extortion payments to the Australian Signals Directorate (ASD) within 72 hours of the payment having been made1. This obligation applies to businesses with an annual turnover of $3 million or more, or any entity that is responsible for a critical infrastructure asset2.
What is the purpose of ransomware reporting?
In November 2024, the Australian Government enacted new legislation, the Cyber Security Act 2024, to enhance cyber security measures, including the above-mentioned mandatory reporting of ransomware payments, and stricter regulations to protect critical infrastructure.
The Department of Home Affairs and the ASD will collect ransomware payment and cyber extortion reporting information for three key purposes:
- To enable the Government to monitor active threat actors, targeted sectors, attack vectors (e.g. ransomware), methods of communication, and the resulting economic impact.
- To inform the provision of tailored cyber security guidance to industries, particularly SMEs, based on trends identified via received reports.
- To support the development of future legislative and policy measures to combat ransomware and cyber extortion.
What needs to be reported?
Notably, the reporting requirement is triggered upon payment of a ransom not the receipt of a demand or discovery of a ransomware attack.
Basic information that must be contained in a ransomware or cyber extortion report includes :
- Details of the entity that made the payment.
- Details on the cyber security incident, including its impact on the reporting entity. This should cover the date of occurrence, the type of ransomware or malware involved (if known), the method of compromise, and whether any specific vulnerabilities were exploited.
- The nature of the demand made by the threat actor.
- Details of the ransom, including whether it was monetary or non-monetary, and the method by which it was paid.
- A summary of communications between the entity and the threat actor.
According to the legislator factsheet3:
“the legislation captures both monetary and non-monetary benefits that are given or exchanged to an extorting entity as being ransomware or cyber extortion payments. For example, this may include the exchange of gifts, services or other benefits to an entity in respect of the demand.”
Section 7 of the Cyber Security (Ransomware Payment Reporting) Rules 2025 gives more specificity on what information needs to be contained within a ransomware payment or cyber extortion report.
To report a ransomware and cyber extortion payment, an entity can use the form on ASD’s webpage here.
Could the information I disclose be used in legal or regulatory proceedings against my organisation?
The Cyber Security Act 2024 does not go so far as to create a ‘safe harbour’ for disclosure of information, however, it does limit the circumstances in which any information shared with the Department can be used.
Information that is provided to the Department as part of any ransomware or cyber extortion report cannot be used for regulatory action or admitted as evidence in civil or criminal proceedings against the impacted entity, except in certain limited circumstances. The ‘limited use’4 obligation intends to provide additional assurance that cyber security information voluntarily shared with ASD is protected.
Although the initial adoption of mandatory reporting is focused on an ‘education first approach’, regulatory action will be taken for cases of egregious non-compliance. Non-compliance could result in penalties of up to $19,000.
Additional guidance and resources are expected to be made available to support ongoing implementation and engagement of the ransomware reporting obligations, following an initial six month rollout of the programme.
The outlook for ransomware
Ransomware attacks are increasing. According to ASD Global threat report (23-24) ransomware is on the rise and cyber criminals are leveraging artificial intelligence tools to conduct increasingly targeted attacks5.
Considerations for how a business should respond to a ransom demand are complex. However it should be noted that payment does not guarantee data recovery as threat actors often retain copies of stolen data.
As a matter of priority, organisations should review and enhance their cyber security response plans to ensure compliance with mandatory ransomware reporting requirements and to ensure they are appropriately informed and ready to respond if and when an incident occurs.
To understand your obligations or to review your cyber risk please get in touch with a Bellrock Advisor.
1 Cyber Security (Ransomware Payment Reporting) Rules 2025
2 to which Part 2B of the Security of Critical Infrastructure Act 2018 applies
3 Factsheet: Mandatory ransomware and cyber extortion payment reporting is active from 30 May 2025
4 Limited use
5 Annual Cyber Threat Report 2023-2024
