Updated April 2026 — This post has been substantially revised to reflect the ASD Annual Cyber Threat Report 2024-25, the NCSC New Zealand Cyber Threat Report 2025, and Australia's mandatory ransomware reporting regime under the Cyber Security Act 2024.
Ransomware was already the most disruptive cybercrime threat facing Australian businesses in 2024. In 2025 and into 2026, it has become more organised, more automated, and significantly more consequential. The numbers from Australia's own intelligence agencies and New Zealand's National Cyber Security Centre do not leave much room for complacency.
This post brings together the most current data on ransomware activity across Australia and New Zealand, explains what the new legal landscape means for your organisation, and sets out what boards and leadership teams should be doing right now.
The Australian Signals Directorate (ASD) responded to 138 ransomware incidents in FY2024-25 — making ransomware the single most disruptive cybercrime type for the year. Thirty-nine per cent of those incidents were identified because ASD proactively contacted the affected entity, which means many organisations had no idea they had been compromised until the government told them.
The financial impact has grown sharply. The average cost of cybercrime for Australian businesses rose 50 per cent to $80,850. For large businesses, the figure was $202,700 — up 219 per cent on the prior year. A single UK retailer hit by ransomware in April 2025 faced estimated losses of around $618 million AUD. These are not outlier events. They are the trajectory.
Across the Tasman, the picture is equally concerning. New Zealand's NCSC recorded 88 ransomware reports in 2024/25, up from 63 the year before. The NCSC's direct financial loss figure from cyber incidents reached $26.9 million in 2024/25 — and that figure captures only a fraction of actual impact, with consumer research suggesting New Zealanders could be losing as much as $1.6 billion annually to cybercriminals. Fifty-three per cent of New Zealand small-to-medium enterprises experienced a cyber threat in the first half of 2025 alone, up from 36 per cent in 2024.
Key figures: Australia and New Zealand, 2024-25
138
Ransomware incidents responded to by ASD in FY2024-25
$202,700
Average cybercrime cost for large Australian businesses, up 219%
88
Ransomware reports to NZ's NCSC in 2024/25, up 40% year-on-year
53%
of NZ SMEs experienced a cyber threat in the first half of 2025
Sources: ASD Annual Cyber Threat Report 2024-25 (cyber.gov.au); NCSC New Zealand Cyber Threat Report 2025 (ncsc.govt.nz)
The 2024 version of this post noted the rise of Ransomware-as-a-Service (RaaS). That trend has accelerated significantly. More than half of the significant ransomware incidents handled by New Zealand's NCSC in 2024/25 were likely to have involved RaaS tools. These platforms now offer attackers professional-grade negotiation support, victim engagement capabilities, and money laundering infrastructure. Defenders are dealing not just with technically sophisticated adversaries, but with experienced business operations.
The other significant development is the role of AI. Attackers have been early adopters. Generative models now produce convincing phishing emails in fluent English — and in te reo Maori for campaigns targeting New Zealand organisations. Automated vulnerability scanning allows attackers to identify exposed targets at scale, test stolen credentials, and exploit misconfigured cloud services without direct human involvement. The speed advantage this gives attackers is real.
Specific threat groups are also worth naming. The BianLian ransomware group — assessed by ASD, the FBI, and CISA as likely Russia-based — has been actively targeting Australian critical infrastructure, professional services, and property development organisations. Since January 2024, BianLian has shifted to an exfiltration-based model: steal the data first, then threaten to publish it regardless of whether a ransom is paid. In October 2024 the Australian Government imposed financial sanctions and travel bans on three Russian nationals connected to Evil Corp, another prolific ransomware operation.
The practical consequence: ransomware attackers no longer need advanced technical skills, they operate with professional support structures, and they are increasingly automated. Organisations that rely on perimeter security and annual security reviews are structurally exposed.
Abstract threat data is useful. Specific incidents are more instructive. These are among the most significant ransomware events to affect the region in the past two years.
MediSecure, Australia — April 2024
A database held by MediSecure — a provider of sensitive health prescription data — was encrypted by ransomware actors. Subsequent investigation confirmed over 12 million transactional records across a four-year window had been breached, affecting millions of Australians. The incident underscored the specific vulnerability of healthcare organisations holding large volumes of personal health information.
New Zealand health sector organisation — 2025
Many servers and endpoint devices were encrypted and a large amount of data was stolen. The NCSC determined that a lack of multi-factor authentication on a key service had enabled initial access. The organisation recovered because backups had been completed one hour before the attack began. The NCSC noted the incident could have been prevented entirely if MFA had been in place across critical systems — a finding that applies equally to thousands of organisations across both countries.
New Zealand agriculture producer — 2024/25
IT infrastructure was infected with ransomware, halting production entirely. The incident illustrates that ransomware risk is not confined to information-intensive sectors. Any organisation dependent on technology for operations is exposed.
This is the most significant development since the 2024 version of this post. On 30 May 2025, the Australian Government introduced a mandatory ransomware reporting regime under the Cyber Security Act 2024.
If your organisation has an annual turnover above $3 million, or is responsible for critical infrastructure, you are now legally required to notify the Australian Government when a ransomware payment is made. The reporting window is 72 hours. This obligation exists separately from, and in addition to, your notifiable data breach obligations under the Privacy Act 1988 — which are triggered whenever personal information is compromised.
For APRA-regulated financial institutions, additional obligations under CPS 230 and CPS 234 apply around operational resilience and information security capability. In New Zealand, Privacy Act 2020 notification requirements apply when a privacy breach is likely to cause serious harm — a threshold routinely met in ransomware incidents involving data exfiltration.
What this means for your organisation
A ransomware attack is no longer just an operational crisis. It is simultaneously a regulatory event with 72-hour reporting obligations, a privacy event with notification requirements, and a governance event your board will be held accountable for. Organisations that have not prepared their response procedures and reporting workflows before an attack occurs will find it significantly harder to comply under pressure.
The advice here has not changed, and neither has the evidence behind it. New Zealand's NCSC is direct on this point: many organisations that pay a ransom do not recover their data or regain access to their systems. Some face further extortion demands after paying. The data exfiltration model that BianLian and similar groups now use means that even full payment does not prevent stolen data from appearing on the dark web.
The Australian Government and ASD strongly discourage ransom payments. Beyond the practical ineffectiveness, payment signals to attackers that your organisation will pay — potentially making you a target for repeat extortion. Under the new Cyber Security Act 2024 regime, a payment must be reported within 72 hours, meaning there is no quiet way to pay your way out of a ransomware incident.
The focus should be on containment, recovery from verified backups, and working with experienced incident response specialists. That is only possible if those backups exist, are isolated, and have been tested.
The ASD Essential Eight remains the authoritative baseline for ransomware defence in Australia. Of the eight strategies, four are most directly relevant: regular backups (tested, isolated, air-gapped), multi-factor authentication across all remote access services and privileged accounts, restricting administrative privileges, and maintaining a current patching programme. For New Zealand organisations, the same controls map to the NZISM.
Technical controls alone are not sufficient. The NZ health sector incident demonstrated that a single missing MFA control on one service was the entry point for a significant attack. The MediSecure breach demonstrated that healthcare organisations holding personal data at scale face acute exposure. In both cases, the question is not whether these controls exist somewhere in the organisation — it is whether they have been verified, tested, and maintained.
Three things boards should confirm their organisation has in place:
Insicon Cyber works with mid-market organisations across Australia and New Zealand to reduce ransomware exposure before an attack occurs, detect and respond to threats in progress through our 24/7 Adaptive SOC (aSOC), and support organisations through incident response when an attack has happened.
Two starting points for organisations that want to understand their current exposure:
Ransomware Protection
An overview of how Insicon Cyber helps Australian and New Zealand organisations defend against ransomware — from Essential Eight advisory and Fractional CISO services to 24/7 aSOC monitoring and incident response.
Learn more →
Ransomware Readiness Assessment
A structured, three-week assessment of your organisation's ransomware exposure — mapped to the ASD Essential Eight and delivered with a board briefing, executive summary, and technical findings report.
Learn more →
Ransomware will not become less prevalent. The commercialisation of attack tools, the role of AI in scaling campaigns, and the growing regulatory consequences of an incident all point in one direction. Organisations that treat ransomware readiness as a genuine board-level priority — and verify their controls rather than assume them — are materially better positioned than those that do not.
If your board has not had an honest conversation about ransomware exposure recently, that conversation is overdue.
Take the next step
Find out how exposed your organisation really is
Our Ransomware Readiness Assessment gives your board and leadership team an honest, evidence-based view of your current exposure, mapped to the ASD Essential Eight. Available to organisations across Australia and New Zealand.
Book a Ransomware Readiness AssessmentSources