Ransomware has not gone away. If anything, the threat facing Australian organisations in 2026 is more structured, more targeted, and more professionally run than at any point in the past decade. Attackers have moved from spray-and-pray campaigns to deliberate, intelligence-led intrusions that can sit undetected for weeks before encryption begins. For IT teams, that shift changes almost everything about how you prepare, detect, and respond.
How the threat landscape has evolved
The most significant change in ransomware over the past few years is the rise of ransomware-as-a-service (RaaS). Criminal groups now operate like franchises: a core team builds and maintains the malware and negotiation infrastructure, then leases access to affiliates who handle the actual intrusions. This model has lowered the technical bar dramatically. An affiliate does not need to write code. They need to know how to exploit a vulnerable VPN appliance, purchase valid credentials on a dark-web marketplace, or abuse a misconfigured remote desktop service.
Australian organisations have featured consistently in ACSC incident reporting, with sectors including healthcare, education, logistics, and local government repeatedly targeted. The supply chain dimension has added another layer of risk: attackers increasingly compromise a managed service provider or software vendor to reach dozens of downstream customers in a single operation. An IT team that has hardened its own perimeter can still be caught out through a trusted third party.
The anatomy of a modern ransomware attack
Understanding the typical attack chain helps IT teams know where to invest their defensive energy. Most modern ransomware incidents follow a recognisable pattern:
- Initial access: usually via phishing, exposed remote access services (RDP, VPN), or exploitation of an unpatched vulnerability.
- Persistence and lateral movement: the attacker establishes a foothold, elevates privileges, and moves through the network to identify high-value systems. This phase can last days to weeks.
- Data exfiltration: before encryption begins, data is quietly copied out. This enables "double extortion": pay to decrypt, or pay again to prevent publication.
- Deployment: encryption is triggered, often at a time calculated to maximise disruption (weekends, public holidays, after-hours).
- Extortion: a ransom demand arrives with a countdown timer and, increasingly, proof of stolen data.
Why Australian businesses remain attractive targets
Australia's comparatively high GDP per capita, strong use of English (which simplifies phishing), and a mid-market business sector that has historically underinvested in security all make local organisations appealing targets. Critical infrastructure in particular has drawn attention: energy, water, healthcare, and transport operators are attractive because operational disruption creates pressure to pay quickly. The Essential Eight maturity model exists precisely because the Australian Signals Directorate identified these gaps and built a mitigation framework around the most common attack vectors. Organisations that have not progressed beyond Maturity Level 1 remain significantly exposed.
The Notifiable Data Breaches scheme also means that a successful ransomware attack involving personal data carries regulatory obligations alongside the operational crisis. Boards and executive teams are increasingly aware that a breach is not just an IT problem. It triggers OAIC notifications, potential civil liability, and reputational damage that can persist long after systems are restored.
The Essential Eight and ransomware
The ASD's Essential Eight mitigation strategies map directly onto the ransomware attack chain. Application control, patching of operating systems and applications, restricting macros, and multi-factor authentication each close off vectors that ransomware affiliates routinely exploit. Regular backups, tested and stored offline or in an immutable state, remain the single most important recovery control. An organisation with verified, recent, offline backups can recover without paying a ransom. Without them, the calculus changes painfully.
Several controls deserve particular attention in the current environment. User application hardening limits the ability of malicious code delivered via the browser or email client to execute. Restricting administrative privileges reduces the blast radius if an attacker gains a foothold, because they cannot immediately move to domain administrator and push encryption tools across the entire estate. Patching internet-facing services within 48 hours of a critical vulnerability being published has become the minimum expected standard, not a stretch goal.
What to do when an attack is underway
Speed matters, but panic costs more than it saves. A ransomware incident response should follow a pre-prepared playbook rather than being improvised under pressure. The key steps in the first hours:
- Isolate affected systems from the network immediately. Do not shut them down if forensic evidence may be needed, but disconnect them from everything.
- Contact your cyber insurer before engaging a third-party incident response firm. Many policies have panel requirements.
- Preserve logs from network devices, Active Directory, and endpoint detection tools. Attackers often attempt to delete logs; having a separate logging infrastructure that cannot be reached from the corporate estate is valuable.
- Notify the ACSC via ReportCyber. Reporting is not mandatory for most private sector organisations, but the ACSC can provide technical assistance and the data helps protect other Australian organisations.
- Assess whether personal data has been exfiltrated. If it has, your NDB obligations under the Privacy Act begin running.
The ransom payment question
Paying a ransom is not illegal in Australia (with the exception of payments that may reach sanctioned entities, which creates genuine legal risk), but it is strongly discouraged by the ACSC and most incident response professionals. Payment does not guarantee decryption. It funds further criminal activity. And in double-extortion cases, it does not stop data from being published or sold. The more defensible position, operationally and legally, is to restore from backup wherever possible. That requires the backup to exist, to be current, and to have been tested. Many organisations discover their backups are incomplete or corrupted only when they need them most.
Building resilience before the next incident
Resilience is not a product you can purchase and deploy. It is a state you build through a combination of technical controls, tested processes, trained people, and a culture where security concerns can be raised without fear. Tabletop exercises that simulate a ransomware scenario, including the communications decisions that have to be made under pressure, are among the most cost-effective investments an IT team can make. So is ensuring that your identity architecture does not create a single point of failure: identity-based attacks are the most common precursor to ransomware deployment, and hardening your directory services, enforcing phishing-resistant MFA, and auditing privileged accounts regularly all reduce the likelihood that initial access leads to full network compromise.
The organisations that recover best from ransomware are those that treated the possibility seriously before the incident occurred. That means documented playbooks, practiced response procedures, leadership that understands the risk in business terms, and an IT team with the authority and budget to close the gaps that matter most. In 2026, that preparation is not optional. It is the baseline.