Australian Victims Now Required to Report Ransomware Payments to the Government

Australia has become the first country in the world to mandate that ransomware victims report any ransom payments to the government, The Record reports.

The new law applies to organizations with annual revenues over AUD $3 million, as well as entities in critical infrastructure sectors—capturing around 6.5% of all businesses but representing roughly half of the nation’s economy. Affected organizations must report payments to the Australian Signals Directorate (ASD) within 72 hours or face civil penalties.

The government says the reporting requirement is necessary due to chronic underreporting of ransomware incidents, which limits insight into the true scope and impact of the threat. Authorities plan to focus on the most severe cases of noncompliance at first, with stricter enforcement beginning next year.

The move follows a string of major cyberattacks in Australia and is part of broader efforts to strengthen national cybersecurity. A similar policy is under review in the UK, where the government may block payments to sanctioned entities.

Critics argue that mandatory reporting won’t stop attacks and may publicly shame victims. While some data shows a drop in global ransomware payments, many companies still pay to avoid disruption and data leaks—despite the risk of receiving corrupted decryption keys or having their data exposed anyway.

Takeaway: On the surface, mandatory reporting of ransom payments isn’t the worst idea. We’ve got a serious intel gap when it comes to ransomware. The truth is, we don’t even really know how deep this thing runs because so much of it flies under the radar.  

It’s hard to fight what you can’t see. So, yeah, give the government the data. Fine. But here’s the problem: this move from Australia is all stick, no carrot.

If governments were serious partners in this fight, they’d be showing up before the attacks and help orgs harden their defenses, sharing actionable intel, putting some real skin in the game. Instead, they’re rolling in after the fact, regulatory clipboards in hand, scrutinizing every decision of the victim org with 20/20 hindsight and looking to assign blame.  

That’s not partnership, that’s enforcement. It’s no wonder they don’t get more cooperation from victims with this approach.

This kind of policy screams of governments not knowing how to land a real punch on the actual threat actors. So to save face and look like they’re “doing something,” they put pressure on the only people guaranteed to pick up the phone: the victims. It’s performative and serves only to revictimize the victims.

Better data on this threat is good. But a better strategy by the government to protect organizations from what are the equivalent of nation-state level attacks is what we actually need.

Look, nobody wants to pay a ransom. We’re absolutely against lining the pockets of cybercriminals. But let’s be real, if the only way for a victim to recover quickly and keep the lights on is to pay, they should have that option on the table.

What we’re not going to do is sit here and let the government dictate response strategies while bringing zero to the fight on prevention. If you're not offering real, proactive protection or incentivizing robust operational resilience, you don't get to play Monday morning quarterback after an attack and dictate the response.

Every incident is different. Every victim is different. Every team is dealing with a unique set of circumstances, pressures, and risks. There’s no one-size-fits-all answer here. Recovery needs to be fast, minimally disruptive, and whatever gets the job done should be considered fair play.

So, this isn't about saying ransom payments should be legal—it’s about the fact that banning them outright while offering no serious support to the victims is not fair play. You can't handcuff defenders and then just leave them to bleed.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.