Most Australian businesses paying ransoms

By Dylan Bushell-Embling
Wednesday, 15 November, 2023

Despite all the advice against doing so, Australian businesses are still all too willing to pay a ransom after falling victim to a ransomware attack rather than face loss of critical data, research suggests.

A survey commissioned by McGrathNicol and conducted by YouGov found that 73% of businesses falling victim to a cyber attack in the past five years chose to pay the ransom demand.

Even among businesses yet to experience an attack, 70% of respondents said they would be willing to pay a cyber ransom.

Among businesses which did pay a ransom, 74% did so within 48 hours, while 37% did so within 24 hours. The average ransom paid by these businesses was $1.03 million, but business leaders would be willing to pay an average of $1.32 million.

The survey found that in the past five years, 42% of medium to large businesses have fallen victim to a single attack, with a further 14% having been targeted multiple times.

McGrathNicol Advisory Cyber Partner Darren Hopkins said the findings show that the Australian Government’s messaging strongly advising against paying ransomware attackers has been mostly falling on deaf ears.

“Businesses are still overwhelmingly paying ransoms, and paying them quickly, to avoid negative backlash from customers, partners and stakeholders. It’s now being factored in as a cost of doing business,” he said.

“The research shows that executives are becoming empathetic and less hard-nosed about reporting these attacks to authorities. But without greater collaboration and knowledge-sharing, our ability to prevent ransomware attacks is undermined. This intelligence can help business leaders make informed decisions rather than rushing into paying an expensive, and potentially illegal, ransom.”

The survey also found that only 60% of executives polled support mandatory reporting following a ransomware attack, down from 75% in 2022. Less than half (46%) of respondents meanwhile agree that it should be mandatory to report an attack even if a ransom hasn’t been paid.

The top reasons for paying a ransom include attempting to minimise potential harm to stakeholders, reduce brand damage and avoid sensitive information being leaked, the research found.

Image: iStock.com/Just_Super