In a decisive move to strengthen its national cybersecurity posture, the Australian government has introduced legislation mandating the reporting of ransomware payments. This policy shift comes amid a surge in high-profile ransomware attacks that have disrupted businesses, compromised sensitive data, and cost millions in damages. With cybercrime escalating in frequency and complexity, the new law aims to enhance transparency, enable better incident response, and deter criminal enterprises that thrive in secrecy.
The law, which was introduced as part of the broader 2024 Cyber Security Strategy, requires entities across critical infrastructure and private sectors to report ransomware payments to the Australian Cyber Security Centre (ACSC) within a strict timeframe. This landmark legislation positions Australia among a growing group of nations that recognize the strategic threat posed by ransomware and are taking concrete steps to address it.

Why Ransomware Payment Reporting Matters
Ransomware attacks have become one of the most prevalent and damaging forms of cybercrime globally. These attacks involve malicious actors encrypting an organization’s data and demanding payment—usually in cryptocurrency—in exchange for decryption keys. Over the past few years, ransomware incidents have targeted everything from hospitals and schools to logistics companies and government agencies.
One of the core challenges in combating ransomware has been the lack of visibility. Many victims choose to quietly pay the ransom and avoid disclosing the attack for fear of reputational harm or regulatory consequences. This silence enables cybercriminals to operate with impunity and makes it difficult for authorities to track attack patterns, trace funds, or mount coordinated responses.
By mandating the reporting of ransomware payments, Australia seeks to:
- Gather critical data about ransomware trends, actors, and tactics.
- Disrupt the economic model of ransomware by increasing law enforcement visibility.
- Provide support and guidance to victims during and after incidents.
- Foster a culture of transparency and resilience in the digital ecosystem.
Key Provisions of the Legislation
The Ransomware Payments Reporting Act introduces several significant requirements:
- Mandatory Reporting All organizations that make a ransomware payment—whether voluntarily or under duress—must notify the ACSC within 24 hours. This includes details such as the amount paid, the cryptocurrency used, the ransomware strain involved, and any communication with threat actors.
- Sector-Wide Applicability The law applies to both public and private entities, including critical infrastructure providers, financial institutions, educational institutions, and healthcare organizations.
- Data Protection and Confidentiality Reports submitted to the ACSC are protected under strict confidentiality provisions. The data will be used for threat intelligence, policy development, and coordination with international partners, not for punitive enforcement.
- Penalties for Non-Compliance Organizations that fail to report ransomware payments face significant penalties, including fines and potential legal action, especially if non-disclosure is deemed to have compromised public safety or national security.
- Integration with Incident Response The ACSC will offer immediate technical and operational support to organizations that report ransomware payments, aiming to mitigate the impact and assist in recovery efforts.
Industry and Public Response
The legislation has sparked a wide range of reactions from businesses, cybersecurity professionals, and privacy advocates. Many in the cybersecurity community have praised the law as a necessary step toward breaking the cycle of ransomware payments.
“The only way to get ahead of ransomware is to understand it,” said an ACSC spokesperson. “Mandatory reporting gives us the visibility we need to disrupt threat actors and protect our national interests.”
However, some industry leaders have expressed concerns about the potential administrative burden and unintended consequences of the law. Smaller businesses, in particular, worry about compliance costs and the risk of exposing sensitive information.
Privacy advocates have also raised questions about how the government will handle and store the reported data, calling for robust oversight mechanisms to ensure transparency and accountability.
International Context and Cooperation
Australia is not alone in its push for ransomware transparency. Countries like the United States and the United Kingdom have also considered or implemented similar measures. The U.S. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), passed in 2022, requires critical infrastructure entities to report ransomware payments within 72 hours.
Australia’s approach, with a shorter reporting window and sector-wide coverage, reflects a more aggressive stance. The ACSC has indicated plans to share anonymized data with international partners through alliances such as the Five Eyes intelligence network and Interpol, strengthening global cyber defense efforts.
This international cooperation is essential because ransomware is a transnational crime. Attackers often operate across borders, using global networks of compromised systems and cryptocurrency laundering schemes to obfuscate their activities. By contributing to international data-sharing efforts, Australia helps build a collective defense strategy that benefits all democratic nations.
Challenges and Limitations
While the new legislation marks a significant step forward, it is not without challenges:
- Underreporting Risks: Despite the mandate, some organizations may still choose not to report payments, especially if they believe the chances of enforcement are low. Cultural resistance to regulatory oversight and concerns about legal liability may also discourage compliance.
- Attribution Complexity: Identifying the perpetrators behind ransomware attacks remains difficult, even with detailed payment data. Attackers often use anonymizing technologies like Tor and cryptocurrency mixers to conceal their identities.
- Impact on Victims: For some businesses, paying the ransom may seem like the fastest way to recover operations. The law does not prohibit payment but seeks to regulate it, which may be seen as tacit acceptance. Critics argue that more should be done to outlaw payments and disrupt ransomware economics entirely.
- Threat Actor Adaptation: Cybercriminals may adapt their tactics to avoid detection or pressure victims into secrecy, such as by threatening public shaming or double extortion—demanding payment to both decrypt data and prevent data leaks.
Long-Term Implications
The mandatory reporting law could significantly reshape how Australia—and potentially other nations—approaches ransomware. By collecting detailed data, policymakers can better understand attacker behavior, develop proactive defense strategies, and evaluate the effectiveness of cybercrime interventions.
It may also spur the development of new technologies and services. Cybersecurity vendors could integrate reporting functionality directly into endpoint detection and response platforms. Law enforcement agencies may build advanced analytics systems to trace ransomware flows and identify emerging threats more quickly.
Moreover, organizations may be incentivized to invest more heavily in preventive measures such as:
- Immutable backups
- Zero trust architectures
- Advanced threat detection platforms
- Cyber hygiene training for staff
In the long term, this could lead to a stronger cybersecurity culture and ecosystem, reducing both the incidence and impact of ransomware.
Recommendations for Organizations
In light of the new legislation, Australian businesses should take proactive steps to ensure compliance and strengthen their cybersecurity posture:
- Review and Update Incident Response Plans Ensure your incident response policies include procedures for ransomware reporting and liaison with the ACSC. Include clear workflows and role definitions to minimize delays during a crisis.
- Educate Employees Conduct regular training on ransomware risks, detection, and reporting obligations. Use simulated phishing attacks and tabletop exercises to test readiness.
- Engage with Cyber Insurance Providers Clarify how ransomware payments and reporting obligations affect your coverage. Some insurers may offer premium reductions for organizations with strong compliance protocols.
- Strengthen Technical Defenses Invest in endpoint protection, data backups, network segmentation, and email filtering. Regularly test restoration procedures to ensure backups are functional.
- Conduct Regular Security Audits Identify vulnerabilities before attackers do and prioritize patch management. Engage third-party experts for red teaming and vulnerability assessments.
- Establish Legal and PR Contingency Plans Prepare for legal scrutiny and public communications following an attack. Design messaging that reassures stakeholders while fulfilling legal disclosure obligations.
Conclusion
Australia’s decision to mandate ransomware payment reporting represents a bold and necessary step in the global fight against cybercrime. While implementation challenges are inevitable, the law sends a clear message: ransomware will no longer be allowed to operate in the shadows.
By compelling transparency, the government not only enhances its own situational awareness but also empowers the private sector to respond more effectively. As cyber threats continue to evolve, policies like this will be critical in building a more secure, resilient, and informed digital landscape.
The success of this initiative will depend on cooperation, trust, and a shared commitment to cybersecurity—not just as a technical issue, but as a national imperative. In doing so, Australia sets an example for other nations to follow, demonstrating that strong governance, informed policy, and active collaboration can begin to turn the tide in the fight against ransomware.