118 Australian Businesses Hit by Ransomware in 2025 | What Leaders Must Know

According to data tracked by ransomware.live, 118 Australian organisations have already been publicly impacted by ransomware this year.

The victims span almost every sector of the economy — airlines, telecommunications providers, medical practices, retailers, manufacturers, professional services, and law firms. The diversity of targets reinforces an uncomfortable truth: no organisation is too small, too regulated, or too specialised to be considered “safe.”

While headlines often focus on multimillion-dollar ransom demands or dramatic shutdowns, the reality for many victims is quieter — but no less damaging.

Ransomware Has Evolved — and So Have the Consequences

Globally, there has been a reduction in ransomware payments, driven by improved backups, insurance pressure, regulatory scrutiny, and a growing reluctance to fund criminal groups. On paper, that looks like progress.

In practice, ransomware groups have adapted.

Today’s ransomware operations are less about encryption alone and more about coercion:

• Data theft first, encryption second (or sometimes not at all)

• Extortion through leak sites, regulators, clients, and the media

• Aggressive timelines designed to exploit panic and poor decision-making

Even when no ransom is paid, organisations often still face operational disruption, reputational damage, regulatory engagement, and legal exposure.

Why Australian Organisations Are Attractive Targets

Australia remains a high-value target for ransomware groups for several reasons:

• Strong economy and insured organisations

• High regulatory and reputational sensitivity

• Concentration of professional services holding valuable client data

• Increasing reliance on cloud platforms and third-party providers

For law firms and professional services in particular, the appeal is obvious: confidential client data, transaction details, trust accounts, and legal privilege all create leverage.

Attackers don’t need to breach the largest firm — they only need one weak link.

Law Firms Are Not Immune — and Never Were

Despite improved awareness, many law firms still underestimate their ransomware risk, often assuming:

• “We’re too small to be targeted”

• “Our IT provider has this covered”

• “We’ve never had an incident before”

In reality, ransomware groups increasingly target mid-sized and boutique firms precisely because they are perceived as easier to pressure and slower to respond.

Common weaknesses we see exploited include:

• Compromised email accounts leading to lateral movement

• Poor segregation between document management systems and file storage

• Excessive access rights that persist long after staff move roles

• Limited after-hours monitoring, especially during holiday periods

Once attackers gain a foothold, data exfiltration often happens quietly days or weeks before anyone notices.

Reduced Payments Does Not Mean Reduced Impact

The fall in ransom payments has not softened the behaviour of ransomware groups — if anything, it has hardened it.

Threat actors now operate with utter ruthlessness, publishing stolen data even when payments are refused, selectively leaking sensitive documents to increase pressure, and deliberately targeting organisations where confidentiality is paramount.

For many victims, the most damaging outcomes are not technical:

• Loss of client trust

• Professional and ethical obligations under scrutiny

• Regulator engagement and mandatory notifications

• Litigation risk and long-term reputational harm

These impacts often outlast the technical recovery.

What Organisations Should Be Doing Now

Ransomware preparedness is no longer about a single control or product. It requires clarity, coordination, and realism.

At a minimum, organisations should be asking:

• Do we know where our most sensitive data actually lives?

• Can we detect abnormal access to files, not just malware?

• Who makes decisions in the first 24–72 hours of an incident?

• Are backups tested, isolated, and recoverable under pressure?

• Have we rehearsed a ransomware scenario with legal, comms, and leadership?

Importantly, organisations should assume breach is possible — and design response plans accordingly.

Final Thought

The number — 118 Australian businesses — is not just a statistic. It represents disrupted operations, stressed leadership teams, affected clients, and long recovery journeys.

Ransomware is no longer an emerging threat. It is a persistent business risk that demands preparation, not optimism.

Those who invest in readiness before an incident will always fare better than those trying to improvise under extortion.

Be Ready Before the First 72 Hours Matter Most

The organisations that handle ransomware best are not the ones with the most tools — they are the ones with a clear, rehearsed response plan before an incident occurs.

Cyooda’s 72-Hour Cyber Crisis Response Toolkit is designed specifically for Australian organisations and law firms, helping leadership teams understand what to do, who decides, and how to respond in the critical first three days of a cyber incident.

👉 Download the 72-Hour Cyber Crisis Response Toolkit:
https://cyooda.com/resources/72-hour-cyber-crisis-response-kit

Preparation doesn’t eliminate risk — but it dramatically reduces damage.