How to Prevent Ransomware Attacks on Your Australian Business

The Ransomware Threat Landscape in Australia

Ransomware is the most significant cybercrime threat facing Australian businesses today. Attackers encrypt your files, lock you out of your own systems, and demand payment — typically in cryptocurrency — to restore access. And the problem is getting worse, not better.

According to the Australian Cyber Security Centre's (ACSC) Annual Cyber Threat Report, ransomware remains the most destructive cybercrime type in Australia. The threat has evolved from opportunistic attacks by lone hackers into a highly organised, professional criminal industry known as Ransomware-as-a-Service (RaaS).

Industries Most at Risk in Australia

• Healthcare: Patient data is extremely valuable on the dark web, and disruption can be life-threatening
• Professional services: Law firms, accounting practices, and consultancies hold sensitive client data
• Manufacturing: Operational technology systems are increasingly targeted to cause maximum disruption
• Education: Universities and schools have large attack surfaces with many users and devices
• Financial services: High-value data and regulatory pressure to resolve incidents quickly
• Retail and hospitality: Payment card data and customer information make these businesses attractive targets

No industry is immune. If your business uses computers, email, or connects to the internet, you are a potential target.

How Much Does a Ransomware Attack Really Cost?

The average ransomware attack costs Australian small and medium businesses more than $276,000. But the ransom payment itself is often the smallest part of the total cost. Here is what businesses actually pay when ransomware hits.

How Ransomware Gets Into Your Business

Understanding how ransomware enters your systems is the first step to stopping it. The three most common attack vectors account for the vast majority of ransomware infections in Australia.

1. Phishing Emails (Approximately 70% of Attacks)

Phishing remains the dominant delivery mechanism for ransomware. Attackers send emails that appear to come from trusted sources — Australia Post, the ATO, a bank, a supplier, or even a colleague. These emails contain malicious attachments (often disguised as invoices, delivery notifications, or documents) or links to compromised websites that download ransomware onto the victim's computer.

Modern phishing attacks are sophisticated. They use correct branding, Australian English spelling, legitimate-looking domain names, and even reference real transactions or projects. AI-generated phishing emails are making these attacks even harder to detect.

2. Exposed Remote Desktop Protocol (RDP)

Remote Desktop Protocol allows users to connect to their work computer remotely. When RDP ports are exposed to the internet — as they are on thousands of Australian business networks — attackers can brute-force passwords or use stolen credentials to gain direct access to your systems. Once inside, they deploy ransomware manually, often after spending days or weeks quietly mapping your network and disabling your backups first.

The shift to remote and hybrid work during and after the pandemic dramatically increased the number of exposed RDP services across Australia.

3. Unpatched Software Vulnerabilities

Software vendors regularly release security patches to fix known vulnerabilities. When businesses delay applying these patches, they leave known doors open for attackers to walk through. Attackers actively scan for unpatched systems and exploit known vulnerabilities, sometimes within hours of a patch being released.

Notable examples include vulnerabilities in Microsoft Exchange Server, Fortinet VPN appliances, and Citrix gateways — all of which have been widely exploited against Australian organisations.

Other Attack Vectors

• Supply chain attacks: Compromising a trusted software vendor or service provider to reach their customers
• Malicious websites and drive-by downloads: Visiting a compromised website that automatically downloads malware
• Removable media: Infected USB drives left in car parks or mailed to targets
• Compromised credentials: Stolen usernames and passwords purchased on the dark web from previous data breaches

12-Step Ransomware Prevention Checklist for Australian Businesses

Preventing ransomware is significantly cheaper and less disruptive than recovering from an attack. Use this checklist to assess and improve your ransomware defences. Every item on this list is actionable and proven to reduce your risk.

1. Implement Multi-Factor Authentication (MFA) everywhere
   Enable MFA on all user accounts, email, VPN, cloud services, and administrative systems. MFA stops over 99% of credential-based attacks. Prioritise Microsoft 365, Google Workspace, remote access, and banking platforms. Use authenticator apps or hardware keys rather than SMS where possible.
2. Keep all software patched and up to date
   Apply critical security patches within 48 hours of release. Automate patch management for operating systems, web browsers, Microsoft Office, and third-party applications. This aligns with the ACSC Essential Eight maturity model. Remove or isolate any end-of-life software that no longer receives security updates.
3. Deploy Endpoint Detection and Response (EDR)
   Replace basic antivirus with a modern EDR solution that uses behavioural analysis and AI to detect ransomware activity in real time. Traditional antivirus only catches known threats; EDR detects suspicious behaviour patterns that indicate a ransomware attack in progress, often stopping encryption before significant damage occurs.
4. Implement email filtering with advanced threat protection
   Deploy enterprise-grade email security that scans attachments in sandboxed environments, rewrites and checks URLs at click time, blocks known malicious senders, and uses AI to detect social engineering attempts. This catches the majority of phishing-based ransomware delivery before it reaches your users.
5. Secure and monitor Remote Desktop Protocol (RDP)
   Never expose RDP directly to the internet. Use a VPN or zero-trust network access (ZTNA) solution instead. If RDP must be used, enforce MFA, use Network Level Authentication (NLA), limit access by IP address, and monitor for brute-force login attempts.
6. Follow the 3-2-1 backup rule (detailed below)
   Maintain 3 copies of your data, on 2 different media types, with 1 copy offsite. Ensure at least one backup copy is immutable (cannot be modified or deleted, even by administrators). Test your backups by performing a full restore at least quarterly.
7. Apply the principle of least privilege
   Give users only the access they need to do their jobs. Remove local administrator rights from standard user accounts. Use separate admin accounts for IT staff. Segment your network so a compromise in one area cannot easily spread to the entire organisation.
8. Conduct regular employee security awareness training
   Train all staff to recognise phishing emails, suspicious links, and social engineering tactics. Run simulated phishing campaigns at least quarterly. Make reporting suspicious emails easy and reward employees who do so. New starters should receive training on day one.
9. Network segmentation
   Divide your network into separate zones so that ransomware cannot spread laterally from one compromised machine to your entire network. Keep critical systems (servers, backups, financial systems) on separate network segments with strict access controls between them.
10. Disable macros in Microsoft Office documents from the internet
    Many ransomware payloads are delivered via malicious macros in Office documents. Configure Microsoft Office to block macros in documents downloaded from the internet or received via email. This is one of the ACSC Essential Eight controls and is highly effective at preventing ransomware delivery.
11. Implement application whitelisting
    Only allow approved applications to run on your systems. This prevents ransomware executables from running even if they make it past other defences. Application whitelisting is the number one control in the ACSC Essential Eight for good reason — it is one of the most effective security measures available.
12. Create and test an incident response plan
    Document exactly what your business will do if ransomware hits. Who do you call? How do you isolate affected systems? Where are your backup recovery procedures? Who communicates with customers and regulators? Practise this plan with tabletop exercises at least annually so everyone knows their role before a crisis hits.

Backup Strategy: The 3-2-1 Rule Explained

Your backup strategy is your last line of defence against ransomware. If your prevention measures fail and ransomware encrypts your systems, a solid backup strategy means you can restore your data without paying the ransom. But modern ransomware specifically targets and destroys backups, so your strategy must account for this.

What Is the 3-2-1 Backup Rule?

Why Standard Backups Are Not Enough

Modern ransomware operators know that backups are the primary obstacle to collecting ransoms. Their attack playbooks now routinely include:

• Deleting shadow copies: Ransomware automatically deletes Windows Volume Shadow Copies to prevent easy file restoration
• Encrypting backup files: If backup destinations are accessible from the network, ransomware will encrypt those too
• Destroying backup software: Some ransomware variants specifically target backup applications and their databases
• Stealing admin credentials: Attackers compromise backup administrator accounts to delete cloud backups before deploying ransomware

Building a Ransomware-Proof Backup Strategy

1. Use immutable storage: Configure your cloud or offsite backups so that backup data cannot be modified or deleted for a defined retention period
2. Air-gap at least one copy: Keep one backup copy completely disconnected from your network (offline tape, disconnected hard drive, or air-gapped cloud vault)
3. Encrypt your backups: Protect backup data with strong encryption so it cannot be read if stolen
4. Test restores regularly: A backup you have never tested is not a backup. Perform full restore tests quarterly at minimum
5. Monitor backup jobs: Failed backup jobs must be investigated and resolved immediately, not ignored
6. Document recovery procedures: Your restore procedures should be documented and accessible even if your primary systems are encrypted

Employee Training: Your First Line of Defence

Your employees are simultaneously your greatest vulnerability and your greatest asset in the fight against ransomware. With approximately 70% of ransomware entering organisations through phishing, well-trained employees who can spot and report suspicious emails are more valuable than any firewall.

What Effective Security Awareness Training Looks Like

• Regular and ongoing: Not a one-off annual compliance exercise but continuous reinforcement through short, frequent training modules (monthly or bi-monthly)
• Simulated phishing campaigns: Send realistic fake phishing emails to test employees quarterly. Track who clicks, provide immediate feedback, and offer additional training to those who need it
• Role-specific training: Finance teams need training on invoice fraud and BEC scams. Executives need training on whaling attacks. IT staff need training on credential theft and social engineering targeting privileged accounts
• Easy reporting mechanisms: Make it simple for employees to report suspicious emails (a one-click "Report Phish" button in their email client). Respond to reports promptly so employees see that reporting matters
• Positive culture: Never punish employees for falling for simulated phishing. Instead, use it as a learning opportunity. Celebrate and reward employees who report genuine phishing attempts

Key Topics to Cover

1. How to identify phishing emails (hover over links, check sender addresses, look for urgency cues)
2. Password hygiene and the importance of unique passwords with a password manager
3. Why multi-factor authentication matters and how to use it
4. Safe web browsing habits
5. How to handle suspicious attachments (do not open; report instead)
6. Physical security (locking screens, challenging unknown visitors, not plugging in unknown USB devices)
7. What to do immediately if they think they have clicked on something malicious

What to Do If You're Hit by Ransomware

If ransomware strikes your business, your response in the first few hours is critical. Acting quickly and following a structured incident response plan can significantly reduce the damage and recovery time. Here are the steps to take immediately.

1. Isolate affected systems immediately
   Disconnect infected computers from the network (unplug Ethernet, disable Wi-Fi) but do not power them off. Isolate affected network segments. The goal is to stop the ransomware spreading to other systems while preserving evidence on the infected machines.
2. Activate your incident response plan
   Contact your IT support provider or internal IT team immediately. If you have a managed IT services provider, call their emergency line. Assemble your incident response team, including IT, management, legal, and communications.
3. Document everything
   Take photos of ransom notes displayed on screens. Record which systems are affected. Note the exact time the attack was discovered and by whom. This documentation is critical for forensic investigation, insurance claims, and regulatory reporting.
4. Report to the authorities
   Report the incident to the ACSC via cyber.gov.au or call 1300 CYBER1 (1300 292 371). Report to the Australian Federal Police (AFP) via the ReportCyber portal. If personal data has been compromised, you may be legally required to notify the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.
5. Assess the scope of the attack
   Determine which systems, data, and backups have been affected. Identify the ransomware variant if possible (this may help determine if free decryption tools are available). Check if data has been stolen (many ransomware groups now practice "double extortion," threatening to publish stolen data).
6. Do NOT pay the ransom (see below)
   Consult with your legal team, cyber insurer, and the ACSC before making any decisions about ransom demands. The ACSC recommends against payment.
7. Begin recovery from clean backups
   Once the ransomware has been fully contained and eradicated, restore systems from your most recent clean backup. Verify that restored systems are free of malware before reconnecting them to the network. Prioritise restoring business-critical systems first.
8. Conduct a post-incident review
   After recovery, analyse how the attack occurred, what worked in your response, and what needs improvement. Update your security controls and incident response plan accordingly. Use the incident as a catalyst to strengthen your overall security posture.

Should You Pay the Ransom?

No. The Australian Cyber Security Centre (ACSC) strongly advises against paying ransomware demands, and AyeTech supports this position. Here is why.

Why Paying the Ransom Is a Bad Idea

• No guarantee of data recovery: Approximately 20% of businesses that pay the ransom never receive a working decryption key. Even when a key is provided, decryption is often slow, incomplete, or corrupts data during the process
• You become a repeat target: Paying demonstrates willingness and ability to pay. Research shows that 80% of organisations that pay a ransom are attacked again, often by the same group
• Funding criminal organisations: Ransom payments directly fund organised crime and enable attacks against other Australian businesses, hospitals, and critical infrastructure
• Potential legal consequences: If the ransomware operator is a sanctioned entity (e.g., linked to North Korea or Russia), paying the ransom may violate Australian sanctions laws and expose your business to legal liability
• Double extortion is now standard: Even if you pay for decryption, attackers may still publish or sell your stolen data unless you pay a second ransom

What to Do Instead of Paying

1. Restore from clean, verified backups (this is why the 3-2-1-1 strategy is essential)
2. Check for free decryption tools at nomoreransom.org — a project supported by Europol and security vendors that provides free decryption for many ransomware variants
3. Engage a professional incident response team to investigate, contain, and remediate
4. Contact your cyber insurance provider immediately — they can coordinate legal, forensic, and recovery resources
5. Report to the ACSC and AFP — law enforcement can sometimes assist with recovery and may already have decryption keys from previous investigations

How Managed IT Services Prevent Ransomware

For most Australian small and medium businesses, building an in-house security team capable of defending against modern ransomware is neither practical nor affordable. A single security analyst in Sydney costs $100,000–$140,000 per year, and you need a team, not an individual, to provide round-the-clock protection.

A managed IT services provider (MSP) delivers enterprise-grade ransomware protection at a fraction of that cost. Here is how.

What an MSP Does to Protect Your Business