fbpx
News, Updates

Australia’s Ransomware Reporting Rules

 

Strengthening Cyber Resilience: Australia’s Ransomware Reporting Rules, Ransomware-as-a-Service, and the Power of ISO 27001 & ISO 27701

Australia’s cyber threat landscape is rapidly evolving, with ransomware attacks now among the most destructive forms of cybercrime. In response, the Australian Government has introduced new ransomware reporting obligations under the Cyber Security Act 2024. At the same time, the rise of Ransomware-as-a-Service (RaaS) has transformed cybercrime into a highly organized, business-like industry. This blog explores the new rules, the RaaS phenomenon, and how robust information security frameworks like ISO 27001 and ISO 27701 can help organisations stay compliant and resilient.

Australia’s New Ransomware Reporting Obligations

Who Must Report?
From 30 May 2025, businesses with an annual turnover of $3 million or more—or those responsible for critical infrastructure—must report any ransomware payments to the Department of Home Affairs and the Australian Signals Directorate (ASD). This measure aims to provide authorities with critical intelligence on the scale and impact of ransomware threats.

What Must Be Reported?
Organisations must submit detailed reports within 72 hours of making a ransomware payment or becoming aware of one made on their behalf. Required details include business identifiers, incident timing, impact, ransomware type, exploited vulnerabilities, and all communications with extortionists, including payment negotiations.

Why Is This Important?
Mandatory reporting addresses the chronic underreporting of ransomware attacks, helping the government and industry build a clearer threat picture and improve national response and policy.

Ransomware-as-a-Service (RaaS): Cybercrime Goes Corporate

What Is RaaS?
Ransomware-as-a-Service (RaaS) is a subscription-based model where ransomware developers sell or rent attack tools to affiliates, enabling even those with limited technical skills to launch sophisticated attacks124. RaaS kits are marketed on the dark web and often include 24/7 support, user reviews, and bundled offers—mirroring legitimate SaaS providers12.

How Big and Organised Are Ransomware Gangs?
Modern ransomware gangs operate like large, legitimate businesses, complete with:

  • Multi-layered management: Roles include leaders, developers, infrastructure and system administrators, penetration testers, and negotiators.
  • Affiliate programs: Just as franchises operate in the business world, affiliates pay to use ransomware tools and share profits with the operators
  • Customer support: Some RaaS providers offer 24/7 helpdesks, detailed user guides, and even “customer service” for their criminal clients.
  • PR and advertising: Gangs run sophisticated PR campaigns, maintain leak sites, and even vet affiliates before granting access to their tools.
  • Global reach: Groups like LockBit, RansomHub, PLAY, and Akira have conducted attacks worldwide, demanding millions in ransom and causing major disruptions to critical infrastructure and large enterprises.

These organisations are so professionalised that they employ business processes such as advertising, escrow services, and subcontracting, making them resilient and difficult to disrupt.

Real-World Incidents: The Cost of Unpreparedness
Recent high-profile breaches in Australia, such as the Optus and ANU attacks, highlight the devastating impact of ransomware and the importance of robust security controls. These incidents often involve sophisticated tactics, extended periods of undetected access, and significant financial and reputational damage.

How ISO 27001 and ISO 27701 Support Compliance and Resilience

ISO 27001: Information Security Management
ISO 27001 provides a systematic framework for managing sensitive information, focusing on risk assessment, incident management, and continuous improvement1. It helps organisations:

  • Identify and mitigate risks proactively
  • Establish clear incident response procedures
  • Regularly review and update controls to address emerging threats

ISO 27701: Privacy Information Management
ISO 27701 extends ISO 27001 to cover privacy, helping organisations:

  • Protect personal data and comply with privacy laws
  • Manage third-party risks
  • Demonstrate accountability to regulators and customers

Together, these standards enable organisations to detect, report, and respond to ransomware attacks in line with Australia’s new legal requirements, while also building a culture of security and resilience.

Practical Steps for Organisations

  1. Review Incident Response Plans: Ensure clear procedures for ransomware detection, reporting, and response.
  2. Train Staff: Raise awareness about ransomware and the importance of timely reporting.
  3. Implement Strong Controls: Use ISO 27001 and ISO 27701 to guide security and privacy practices.
  4. Stay Informed: Monitor legislative changes and emerging threats.

Conclusion

With ransomware attacks growing in scale and sophistication, driven by the rise of RaaS and organized cybercrime, Australia’s new reporting rules are a vital step toward greater transparency and resilience. By adopting ISO 27001 and ISO 27701, organisations can meet their legal obligations, strengthen their defences, and protect their people and data in an era where cybercriminals operate as well-resourced, global businesses.

For more information on ransomware reporting and compliance, visit the CISC explanatory document or contact Global Compliance Certification.

Further Reading:

 

 

Mousa Sharifi

Mousa, Managing Director of Global Compliance Certification (GCC), has led advancements in certification industry since 1998. With a Master’s in Engineering, he developed GCC’s certification services, assisting over 6000 companies across multiple countries.