18 May 2026 Compliance

Australia's 72-Hour Ransomware Reporting Law: What Every Business Must Know About Phase 2 Enforcement

Since 1 January 2026, Australia's mandatory ransomware payment reporting regime has moved from its "education-first" Phase 1 into active enforcement. Businesses with annual turnover exceeding $3 million — and all critical infrastructure operators regardless of size — now face civil penalties of up to AUD $19,800 for failing to report a ransomware or cyber extortion payment within 72 hours of making it. Here is a plain-language guide to what the law requires, who it captures, and how to reduce your risk of ever needing to use the reporting form.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What the Mandatory Ransomware Reporting Regime Actually Requires

Australia's mandatory ransomware and cyber extortion payment reporting regime is established under Part 3 of the Cyber Security Act 2024, which received Royal Assent in November 2024 after years of consultation. The reporting obligation is administered by the Australian Signals Directorate (ASD) and sits alongside — but is distinct from — the Notifiable Data Breaches scheme under the Privacy Act 1988.

The core obligation is straightforward: if your organisation makes a ransomware or cyber extortion payment, or becomes aware that a third party has made such a payment on your behalf, you must submit a report to the ASD within 72 hours. The 72-hour clock runs from the moment payment is made, not from when you discover the attack or start investigating.

Who must report: The obligation applies to two categories of entity. First, any business with an annual turnover exceeding $3 million in the most recent financial year. Second, any responsible entity for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018, regardless of revenue. In practice, this captures mid-market businesses, most ASX-listed companies, most publicly traded firms, and operators of energy, water, transport, health, and financial services infrastructure.

What your report must include: The ASD's reporting form collects the following information — the date and time the incident occurred; the systems and services affected; the type of ransomware or extortion incident; any known vulnerabilities that were exploited; the nature and amount of the payment (including the cryptocurrency type and approximate AUD equivalent); and the content of any communications with the threat actor. The form is available on the Department of Home Affairs Cyber Security Act page.

An important protection: Information you provide in a ransomware report is legally protected. It may only be used for specified "permitted purposes" — assisting with cyber security, supporting law enforcement, or informing government policy. It cannot be used as evidence in civil or criminal proceedings against the reporting entity. The government was explicit that this protection was necessary to encourage honest reporting; businesses were unlikely to disclose payment details if those details could later be used against them in court.

It is also worth noting what the regime does not require: you are not required to notify your customers or the public solely because you made a payment. That separate obligation may arise under the Notifiable Data Breaches scheme if personal information was accessed — but the ransomware reporting obligation is a regulatory report to the ASD, not a public disclosure.

Phase 2: From Education to Enforcement — Why the Stakes Changed on 1 January 2026

The ransomware reporting regime launched on 30 May 2025 in Phase 1, which the government described as "education-first." During that seven-month window, the ASD focused on helping businesses understand their obligations rather than penalising missteps. Regulators accepted late reports, engaged in outreach, and published guidance material through the Australian Cyber Security Centre (ACSC).

From 1 January 2026, Phase 2 began. The ASD's stated position is that enforcement will "focus on more serious or repeated non-compliance," but that framing should not be read as a broad exemption for first-time offenders. The education period is over; the expectation is that captured entities are now familiar with their obligations. A failure to report — particularly one that comes to light through other channels, such as a law enforcement investigation or a leak — is likely to attract a higher penalty response than a good-faith late submission.

The maximum civil penalty is 60 penalty units, which at the current Commonwealth penalty unit rate of $330 equates to approximately AUD $19,800. This is not a trivial sum for a small business, and it can be imposed per incident. Multiple payments or multiple failures to report in a single attack sequence could attract compounding penalties.

The threat context in Australia makes this more than a theoretical compliance exercise. According to ASD's Annual Cyber Threat Report, ransomware was responsible for a significant proportion of cyber incidents reported to the ACSC in 2024–2025. Groups including DragonForce, Qilin, and Space Bears have all named Australian businesses as victims in their data leak sites during 2025 and into 2026. Australia's relatively strong economy, comparatively high rate of cyber insurance uptake (which creates a perception that Australian businesses will pay), and significant English-language digital footprint all make it an attractive target for ransomware operators.

The government's broader intent is intelligence-driven, not punitive. The ASD uses mandatory payment reports to map which threat actors are extracting money from Australian businesses, which cryptocurrency wallets receive ransom proceeds, and which vulnerabilities are being actively exploited — data that informs industry briefings, sanctions policy, and law enforcement operations. Your 72-hour report is not just a compliance box; it contributes to the collective defence of Australian businesses.

How Ransomware Actually Reaches Australian Businesses

Effective compliance with the ransomware reporting regime requires understanding how ransomware attacks actually begin — because the 72-hour reporting clock starts at payment, not at discovery. Businesses that understand their typical attack surface are better placed to detect intrusions early enough to contain them before encryption occurs, potentially avoiding a payment situation altogether.

Credential theft and phishing remain the dominant entry vectors

The majority of ransomware intrusions begin not with a zero-day exploit but with a compromised credential. Attackers either purchase stolen credentials from infostealer markets — where login details harvested from malware-infected devices sell for a few dollars each — or they conduct phishing campaigns specifically designed to capture business email passwords, VPN credentials, and remote desktop logins. Once an attacker has valid credentials for a remote access service, they can log in as a legitimate user, often without triggering any security alert.

Research by cybersecurity firms consistently shows that credential-based access is the starting point for a majority of ransomware incidents. The implication for Australian businesses is direct: if your staff reuse passwords across personal and business accounts, or store passwords in browser autofill, a single infostealer infection on a personal device can hand an attacker valid login credentials for your corporate environment. This is not a theoretical risk — investigations of the Big Four Australian bank credential thefts published in 2025 showed that thousands of credentials had been harvested via infostealer malware on employee personal devices, often months before any detection.

Unpatched remote access services

Remote Desktop Protocol (RDP), VPN endpoints, and web-facing management interfaces represent the second major entry category. Ransomware groups actively scan the internet for exposed RDP ports and known-vulnerable versions of popular VPN products. When a critical vulnerability is disclosed — such as the authentication bypass flaws in Cisco SD-WAN and cPanel/WHM that received ACSC alerts in early 2026 — operators move to exploit them within hours or days, well before many businesses have applied patches.

The concern for the reporting regime is that attacks initiated via these channels can have long dwell times. Ransomware operators frequently spend weeks or months inside a network before deploying the encryption payload — mapping file shares, escalating privileges, disabling backup systems, and exfiltrating data to use as double-extortion pressure. By the time files are encrypted and ransom demands arrive, the intrusion may have started months earlier. The reporting obligation requires you to report the payment, not the initial breach, but a post-incident investigation may reveal an exposure timeline that creates separate obligations under the Privacy Act.

Supply chain and third-party software compromise

A growing proportion of ransomware incidents reach Australian businesses through compromised third-party software or service providers. Software supply chain attacks can deliver ransomware precursors to thousands of businesses simultaneously via a single poisoned update. Managed service providers (MSPs) are a recurring target because a single MSP compromise can expose dozens of client networks. The ACSC recommends businesses assess the security posture of their IT service providers as part of their own risk management.

What Your Business Must Do: Before, During, and After an Attack

Before an attack: reduce your attack surface and prepare

Determine whether you are captured by the regime. Calculate your organisation's annual turnover. If it exceeds $3 million, you are a "reporting business entity" under the Cyber Security Act. If you operate or own a critical infrastructure asset — energy, water, transport, telecommunications, health, financial services, data storage, defence — the obligation applies regardless of turnover. If you are a managed service provider that might make payments on behalf of clients, you need to understand whether those payments could trigger your own reporting obligations or those of the client.

Document a ransomware-specific incident response procedure. A general incident response plan is not sufficient. Your ransomware procedure should include: who makes the decision to pay (with legal counsel engaged before that decision is made); who submits the ASD report and how; how the 72-hour deadline will be tracked under pressure; and who is authorised to communicate with law enforcement and cyber insurers. This procedure should be tested in a tabletop exercise at least annually.

Eliminate browser-stored credentials from your business environment. Because credential theft via infostealer malware is the single most common ransomware entry vector, removing stored passwords from browsers eliminates one of the most reliably exploited attack surfaces. Browser password stores are a primary target for off-the-shelf infostealers precisely because they are so universally populated. A dedicated business password manager enforces unique, randomly generated credentials for every service, stores them in an encrypted vault that is not accessible to browser-targeting malware, and provides visibility over which credentials your team holds.

NordPass for Business provides team-level credential management with secure sharing, breach monitoring, and multi-factor authentication enforcement. It removes the browser credential store as an attack surface, ensures that a single compromised personal device does not expose business system passwords, and gives administrators visibility over credential usage across the organisation. For businesses trying to reduce their ransomware risk without a large security budget, eliminating password reuse and browser-stored credentials is one of the highest-return technical controls available.

Engage cyber insurance appropriately. Cyber insurance policies typically have specific conditions around ransomware payments, including requirements to notify the insurer before paying. Verify that your policy covers ransomware events and that your insurer's requirements are compatible with the 72-hour ASD reporting obligation. Some policies also cover the cost of incident response, forensic investigation, and legal counsel — resources that are critical in a live ransomware incident.

During an attack: the 72-hour window

Do not pay without legal counsel. DFAT sanctions law may prohibit payment to certain designated entities — paying a sanctioned ransomware group is potentially a criminal offence under the Autonomous Sanctions Act 2011. Legal counsel should review the known or suspected threat actor before any payment is considered. The ASD's 24/7 hotline (1300 CYBER1) can provide advice during an active incident.

If you pay, start the clock immediately. The 72-hour window is tight during a crisis. Assign a specific person to own the ASD report submission before an incident occurs, with the form bookmarked and relevant contact details on hand. An initial good-faith report lodged within 72 hours and supplemented later is far better than a late report.

The Broader Compliance Picture: Privacy Act, DFAT Sanctions, and Essential Eight

The ransomware reporting regime is one layer of a broader compliance environment that Australian businesses need to navigate. Understanding how the different obligations interact — and where they overlap — is important for building a coherent response programme.

The Notifiable Data Breaches scheme runs in parallel. If a ransomware incident involves unauthorised access to personal information, separate notification obligations apply under the Privacy Act 1988. The NDB scheme requires notification to the OAIC and affected individuals when a breach is likely to result in serious harm. The ASD ransomware report and the OAIC notification are separate obligations with different timelines and recipients — a business may need to submit both simultaneously, reinforcing the need for pre-built procedures.

DFAT sanctions create a hard limit on who you can pay. Australia's autonomous sanctions regime, administered by the Department of Foreign Affairs and Trade, designates certain individuals, entities, and programmes as sanctioned. Several major ransomware groups and their operators have been sanctioned by Australia, the United States, and the United Kingdom acting in coordination. Paying a sanctioned entity — or making a payment that you reasonably suspect will reach a sanctioned entity — is potentially a criminal offence under the Autonomous Sanctions Act 2011. The government does not provide a "good faith" exception for ransomware payments. This means that before paying any ransom, checking the DFAT consolidated list is not just good practice — it is legally necessary.

The Essential Eight provides a prevention roadmap. The ASD's Essential Eight Maturity Model is the most practical ransomware-reduction framework available to Australian businesses. The eight mitigations — application control, application patching, macro configuration, user application hardening, restricting admin privileges, OS patching, multi-factor authentication, and regular backups — directly address the entry and persistence vectors ransomware operators exploit most frequently. Reaching Maturity Level 2 significantly reduces the probability that an attacker who gains initial access will successfully encrypt your environment. Guidance is free at cyber.gov.au.

Backups must be tested and isolated. Reliable, tested, offline or immutable backups are the single most effective control for limiting the business impact of a ransomware incident. Ransomware operators routinely target backup systems during their dwell period — deleting cloud backups, disabling backup agents, and encrypting network-attached stores. Backups that are not isolated from the primary environment may be compromised along with primary data. Verified, air-gapped or immutable backups are what separate a recoverable incident from an existential business threat.

Cyber insurance is a risk transfer mechanism, not a security strategy. The growth of cyber insurance in Australia has contributed to ransomware groups' targeting of the country — the perception that insured businesses are more likely to pay creates an incentive for attacks. Insurers have responded by tightening coverage conditions and requiring evidence of specific security controls before issuing or renewing policies. Review your policy annually to ensure coverage conditions are being met and that limits are appropriate for your current data footprint.

The mandatory ransomware reporting regime is ultimately an information-sharing mechanism wrapped in a compliance obligation. Businesses that treat it purely as a checkbox miss the point — the intelligence gathered through mandatory reports helps the ASD identify active threat actors and support international operations to disrupt ransomware infrastructure. Your 72-hour report, submitted under pressure, is part of that collective effort.