Misleading Metrics: Unraveling Ransom Payment Statistics in Australia

A recent Australian Financial Review (AFR) article, citing a report by a specialist advisory firm exemplifies the ongoing challenge that victims face in obtaining meaningful, reliable data on ransomware. At Coveware, we pioneered the rigorous collection of first-hand data to understand ransomware incidents, and we feel compelled to speak out when misleading information is widely distributed. The report presents data that differs materially from the first hand collected information we gather, and a potentially harmful narrative to Australian business decision-making. It claims that the average ransom payment by Australian companies has jumped to $1.35 million in 2024, with 69 per cent of Australian businesses experiencing a ransomware attack in the past five years, and 84 per cent of those paying a ransom - mostly within 48 hours. The data and facts we collect from thousands of ransomware attacks differs materially. Such reporting risks creating a misleading perception about ransomware response strategies, potentially encouraging harmful practices among businesses seeking guidance.

Having had extensive hands-on experience assisting hundreds of Australian ransomware victims over the past six years, our real-world data tells a starkly different story. Unlike the survey-based reporting cited in the article, our direct case experience shows a consistent decline in ransom payments. Over the last five years, we've observed an overall ransom payment rate, defined as the percentage of companies impacted by cyber extortion that end up actually paying the ransom, of 44% among Australian victims.  This year, we have seen a continued decline in this rate from 36% in 2023 to just 15% in 2024 to date - something we are incredibly pleased to see. Where the article suggests widespread capitulation to the demands of cybercriminals, our data reveals a more resilient landscape in Australia. For our clients, the average ransom paid by Australian victims in 2024 was USD$240,000—much smaller than the $1.35 million figure cited in the article. Critically, none of the Australian clients we have assisted in the last six years paid a ransom within 48 hours - a stat that directly contradicts the report's assertion.

The notion that companies can or should pay ransoms within 48 hours is particularly dangerous. Victims who rush to make quick decisions often make choices that are not in their best interest. We aim to provide meaningful data to our clients to allow them to make data-driven decisions, avoiding hasty payments that could result in ineffective decryption tools or further extortion attempts by the actor. In reality, responding to a ransomware incident is a complex process that requires careful deliberation. Victims must first assess the impact, verify backup availability, contain affected systems, and if necessary, engage with the threat actor—a process that can take days or even weeks. This is before considering critical steps like compliance checks, receipt of legal advice, insurance discussions, board and governance processes. Notwithstanding that, negotiating acceptable ransom demands and procuring cryptocurrency are additional time-consuming processes. The 48-hour payment narrative is not just inaccurate, it's dangerously simplistic.

A Global Example: A nation that does not easily succumb to ransom demands

Australia's approach to ransomware over the last few years is emerging as a global model of resilience. Unlike victims in other countries that more readily capitulate to cybercriminal demands, Australian businesses have demonstrated remarkable restraint. Even the largest organisations handling the most sensitive information (from healthcare to financial sectors) have shown a commitment to avoiding ransom payments except as an absolute last resort. And because of the bold decision made by many of those large organisations not to pay the ransom, despite facing intense public and regulatory scrutiny, it has made the decision not to pay easier for smaller organisations with less sensitive data. The recently passed mandatory ransomware payment reporting legislation further strengthens this stance, potentially discouraging unnecessary ransom payments by requiring organisations to justify their decision to pay. Sadly, victims often mistakenly believe paying ransoms guarantees the safe return of stolen data, but in reality, it doesn’t. This point was proven earlier in the year when law enforcement from 10 countries (including Australia) successfully disrupted the criminal operation of the LockBit ransomware group and uncovered that Lockbit did not routinely delete stolen data once a ransom was paid. In many cases, paying a ransom only perpetuates future attacks, potentially even on critical infrastructure like hospitals or government bodies.

By creating a framework of transparency and accountability, Australia is not just protecting its own digital ecosystem - it's providing a blueprint for global cybersecurity resilience. At Coveware, we are hopeful that Australia will use this first-hand collection of data from the mandatory ransomware reporting scheme to help victims dismiss misleading statistics like those from the report cited in the AFR article. Victims need to be armed with facts to make data-driven decisions moving forward - that will be the next major step in solving the ransomware problem.