Ransomware Protection for Australian SMBs

Ransomware attacks against Australian SMBs increased 67% in 2025 — here's how to protect your business before it happens

Ransomware encrypts your business data and demands payment for the decryption key. In Australia, the average ransomware payment demanded from SMBs is $250,000-$500,000, with average business downtime of 21 days. The ACSC reported that ransomware was the most destructive cybercrime type affecting Australian organisations in 2025, with attacks increasingly targeting small and medium businesses that lack dedicated security teams.

How ransomware attacks work

A typical ransomware attack follows five stages:

Stage 1 — Initial access

The attacker gains entry to your systems. The three most common methods targeting Australian SMBs:

• Phishing emails — a staff member clicks a malicious link or opens an infected attachment (accounts for 65% of initial access)
• Exploiting vulnerabilities — unpatched software with known vulnerabilities, particularly in VPNs and remote access tools
• Stolen credentials — purchased from dark web marketplaces, often from previous data breaches

Stage 2 — Lateral movement

Once inside, the attacker moves through your network, escalating privileges and mapping your systems. This stage can take days or weeks — the attacker is patient, learning your environment before striking.

Stage 3 — Data exfiltration

Modern ransomware groups steal your data before encrypting it. This enables "double extortion" — they can threaten to publish your data publicly even if you restore from backups.

Stage 4 — Encryption

The attacker encrypts your files, databases, and often your backups if they're accessible on the network. Your business grinds to a halt.

Stage 5 — Extortion

A ransom note demands payment in cryptocurrency. If you don't pay, they threaten to publish stolen data, contact your customers directly, or sell the data to other criminals.

The seven essential protections

1. Offline backups (most critical)

If your backups are on the same network as your business systems, ransomware will encrypt them too. Implement the 3-2-1 backup rule:

• 3 copies of your data
• 2 different storage types (e.g., cloud + external drive)
• 1 copy offline or air-gapped (physically disconnected from the network)

Test restoration quarterly. A backup you can't restore from is worthless.

2. Multi-factor authentication

MFA on all accounts — email, VPN, cloud services, admin accounts. This blocks 99.9% of automated credential attacks, which is the second most common ransomware entry method.

3. Patch management

Apply critical security patches within 48 hours. Enable automatic updates where possible. Focus on internet-facing systems first: VPN appliances, email servers, web applications, and remote desktop services.

4. Email filtering

Deploy email filtering that scans attachments and URLs before delivery. Block macro-enabled Office documents from external senders. Quarantine suspicious emails for manual review rather than delivering them to inboxes.

5. Network segmentation

Separate your critical systems from general office networks. If ransomware compromises a workstation, segmentation prevents it from reaching your servers, databases, and backup systems.

6. Endpoint detection and response (EDR)

Modern EDR solutions detect ransomware behaviour patterns (mass file encryption, privilege escalation, lateral movement) and can automatically isolate infected machines before the attack spreads.

7. Staff training

Train all staff to recognise phishing emails, suspicious links, and social engineering attempts. Run simulated phishing exercises quarterly. One untrained employee clicking one malicious link is all it takes.

Should you pay the ransom?

The ACSC and AFP recommend against paying ransoms because:

• No guarantee — paying doesn't guarantee you'll get your data back. According to Sophos, only 65% of data is recovered even after payment
• Repeat targeting — businesses that pay are marked as willing payers and targeted again. 80% of businesses that paid were attacked again
• Funding crime — ransom payments fund further criminal operations, including attacks on other Australian businesses
• Legal risk — payments to sanctioned entities may violate Australian sanctions law

The only reliable protection is preparation: offline backups, tested restoration, and security controls that prevent the attack from succeeding in the first place.

What to do if you're attacked

1. Isolate affected systems — disconnect from network immediately (don't power off — preserves forensic evidence)
2. Activate your incident response plan
3. Report to ACSC — cyber.gov.au/report
4. Report to AFP — via ReportCyber
5. Assess NDB obligations — determine if personal information was compromised
6. Engage forensic support — determine the scope and method of compromise
7. Restore from clean backups — only after confirming the attacker's access has been removed