Ransomware is no longer the domain of a single criminal syndicate operating from a darknet server. In 2026, it is a franchise economy — decentralised, resilient, and deliberately structured to survive law enforcement takedowns. Publicly reported ransomware attacks rose to 7,200 globally in 2025, a 47 per cent increase on the prior year, driven in large part by the explosion of Ransomware-as-a-Service (RaaS) affiliates who freely migrate between gangs, rebrand overnight, and carry institutional tradecraft with them wherever they go.
For Australian organisations, the stakes just shifted again. On 30 May 2025, the mandatory ransomware payment reporting regime under Part 3 of the Cyber Security Act 2024 came into force — creating a 72-hour reporting obligation that fundamentally changes how your incident response team must operate. Understanding the threat landscape and the new legal framework together is no longer optional; it is a board-level imperative.
The RaaS Cartel Model: Fragmentation as a Survival Strategy
The coordinated law enforcement takedowns of 2022–2024 — targeting Hive, ALPHV/BlackCat, and LockBit — were intended to decapitate the ransomware ecosystem. Instead, they accelerated its evolution. Rather than collapsing, RaaS operators responded by decentralising further.
DragonForce is the clearest illustration of this shift. Originally emerging in 2023, by March 2025 DragonForce had rebranded itself as a ransomware cartel — a white-label infrastructure model that lets affiliates operate under their own brand names while leveraging DragonForce's encryption tools, negotiation platforms, and leak portals. Security researchers have identified a loose alignment between DragonForce, Qilin, and a reconstituted LockBit 5.0 operation. The result is a cartel-style arrangement: resilient, reputation-diverse, and highly adaptable.
For defenders, this creates a critical intelligence gap. When an affiliate migrates from one RaaS platform to another, they carry their access credentials, victim lists, and preferred initial access methods with them. Attribution becomes harder. Indicators of compromise (IoCs) from a previous incident may no longer map to the next attack from the same human threat actor, even if they are using different malware.
Double and Triple Extortion: The New Baseline
Encrypting files and demanding a ransom is now considered a minimum viable attack. In 2025–2026, the overwhelming majority of professional RaaS operations deploy a double extortion model as standard: data is exfiltrated before encryption, and victims who restore from backups still face the threat of sensitive data being published on a Tor-based leak site.
Triple extortion adds a third pressure layer — contacting customers, regulators, or business partners directly to amplify reputational damage and regulatory exposure. For Australian organisations, this third lever is particularly acute given the Privacy Act 1988 Notifiable Data Breaches (NDB) scheme and sector-specific obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act). A threat actor who publishes data and simultaneously notifies the Office of the Australian Information Commissioner (OAIC) on your behalf has weaponised your compliance obligations against you.
Why Healthcare and Fintech Are Primary Targets
Sector selection is not random — it is commercially rational. According to the ASD's ACSC Annual Cyber Threat Report 2024–25, ransomware incidents against the healthcare sector doubled in FY2024–25 compared to the prior year. Threat actors were successful in 95 per cent of all healthcare and social assistance sector incidents that ASD's ACSC responded to — nearly double the 52 per cent success rate across all sectors. Healthcare organisations hold high-value personal health information, operate life-critical systems where downtime cost is catastrophic, and are statistically more likely to pay to restore services quickly.
Financial and insurance services accounted for 32 per cent of all critical infrastructure incidents — the highest of any sector — according to the same ACSC report. Fintech organisations are attractive for a different reason: they sit at the intersection of high-value transaction data, regulated personal information, and often-immature security postures relative to traditional banks. The 2026 ransomware attack on Australian fintech YouX, which exposed an estimated 229,000 driver licence numbers and borrower personal data, exemplifies this pattern.
Hospitality and accommodation sector organisations are increasingly appearing in RaaS affiliate target lists, primarily because of their combination of payment card data, relatively flat network architectures, and high-volume seasonal staffing that creates persistent phishing exposure.
What the Mandatory Ransomware Reporting Obligation Means for Your IR Plan
Australia's new mandatory ransomware payment reporting regime is not simply a regulatory checkbox — it reshapes the incident response timeline in ways that organisations must plan for in advance, not during an active crisis.
Who Must Report
Under the Cyber Security (Ransomware Payment Reporting) Rules 2025, entities carrying on business in Australia with an annual turnover exceeding AUD $3 million must report any ransomware or cyber extortion payment — including payments made by an insurer or third party on their behalf — to the ASD's ACSC via an online portal. Responsible entities for critical infrastructure assets under the SOCI Act are also captured regardless of turnover.
The 72-Hour Clock
The reporting window is 72 hours from the moment of payment, or from the moment you become aware that a payment has been made on your behalf. This is a critical distinction: if your cyber insurer negotiates and settles a ransom demand without first notifying you, your 72-hour clock starts from when you learn of that payment — not from when the transaction cleared.
This means your incident response plan must now include explicit contractual requirements on your cyber insurer and any external incident response retainer to notify you before any payment is made. It also means your legal counsel needs to be embedded in the IR workflow from the outset of a ransomware event, not brought in at the settlement stage.
The Education-First Phase Is Over
The Department of Home Affairs implemented an education-first approach from 30 May 2025 through 31 December 2025, with regulatory action reserved for egregious non-compliance. From 1 January 2026, active regulatory enforcement is in effect. Civil penalties for failure to report reach up to 60 penalty units — currently AUD $19,800 per contravention. While the financial penalty is not catastrophic for a large enterprise, the reputational and regulatory secondary consequences of a finding of non-compliance — particularly during an OAIC investigation into the same incident — are significant.
Does Reporting Prevent You from Paying?
No. The legislation does not prohibit ransom payments. It creates a reporting obligation, not a payment ban. The government's stated rationale is to build an intelligence picture of the Australian ransomware ecosystem — understanding which threat actors are active, what sectors are being targeted, and the scale of the problem. Organisations that pay and report in good faith are not penalised for the payment itself.
Practical Mitigation Priorities for 2026
Understanding the threat is only useful if it drives concrete defensive action. The following priorities reflect both the current threat actor playbook and the requirements of the Essential Eight Maturity Model, which remains the ACSC's recommended baseline for Australian organisations.
Immutable, Tested Backups
Double extortion has not made backups irrelevant — it has changed their purpose. Restoring from a clean backup avoids paying for decryption, even when the threat of data publication remains. Backups must be immutable (write-once, append-only), stored offline or in an air-gapped environment, and tested for restoration under realistic incident conditions at least quarterly. A backup that has never been restored is a liability, not an asset. Essential Eight Maturity Level 2 requires regular backup testing; Maturity Level 3 requires unprivileged accounts to be unable to access or delete backup stores.
Phishing-Resistant MFA Across All Remote Access
Initial access via compromised credentials — acquired through phishing, credential stuffing, or prior breach data — remains the dominant entry vector for RaaS affiliates. Legacy MFA methods (SMS OTP, push notifications without number matching) are routinely bypassed via MFA fatigue attacks and adversary-in-the-middle proxies. Organisations should be deploying phishing-resistant MFA — FIDO2/passkeys or certificate-based authentication — for all remote access, privileged accounts, and cloud administration portals. This aligns with Essential Eight Maturity Level 3 for Multi-Factor Authentication.
Network Segmentation and Least Privilege
RaaS affiliates rely on lateral movement after initial access to maximise encryption scope. Flat network architectures — common in healthcare, hospitality, and mid-market organisations — allow a single compromised endpoint to become a full domain compromise within hours. Implement micro-segmentation to isolate clinical systems, financial applications, and backup infrastructure from general corporate networks. Pair this with strict least-privilege access controls: accounts should have access only to the resources required for their role, not inherited domain-wide rights.
Incident Response Planning with Ransomware-Specific Playbooks
Generic incident response plans are insufficient for ransomware events, which involve simultaneous technical, legal, commercial, and communications pressures on compressed timelines. Your ransomware playbook must document:
- The chain of authority for the ransom payment decision — and the explicit requirement to notify legal counsel before any payment is authorised
- Your cyber insurer's notification requirements and the contractual clause requiring pre-payment notification to you
- The 72-hour ACSC reporting trigger and the designated person responsible for filing the report
- Your NDB assessment process — a ransomware exfiltration is almost certainly an eligible data breach requiring OAIC notification and potentially individual notification
- Executive and board communication templates for the first 24 hours
- A pre-engaged forensics retainer with a firm experienced in Australian regulatory requirements
Essential Eight Maturity as a Foundation
The Essential Eight Maturity Model provides a structured, ACSC-endorsed path to ransomware resilience. Three controls are especially relevant to the current RaaS playbook: Application Control (prevents execution of attacker tooling on endpoints), Patch Applications (closes the known vulnerabilities RaaS affiliates routinely exploit), and Restrict Administrative Privileges (limits the blast radius when credentials are compromised). Achieving Maturity Level 2 across all eight controls significantly reduces the probability of a successful ransomware event; Maturity Level 3 makes recovery without payment a viable outcome in most scenarios.
The Intelligence Imperative
One underappreciated consequence of the new mandatory reporting regime is its intelligence dividend. As more Australian organisations report ransomware payments to the ACSC, the ASD builds a richer, more current picture of active threat actors, preferred initial access vectors, and targeted sectors. This intelligence — distributed through the ACSC's partner and advisory programs — benefits the entire ecosystem. Organisations that engage with the ACSC's cyber threat intelligence sharing programmes, and that hold ASD Partnership status, receive earlier warning of campaigns targeting their sector.
Threat intelligence is not only a government function. Commercial threat intelligence feeds, sector-specific ISACs (Information Sharing and Analysis Centres), and dark web monitoring services that flag leaked credentials or discussions of your organisation on RaaS affiliate forums are all components of a mature threat intelligence capability.
Key Takeaways
- RaaS has fractured into a cartel model. Affiliates migrate freely between gangs, carrying access and tradecraft with them. Traditional attribution-based defences are insufficient.
- Double extortion is the baseline. Even organisations with functional backups face data publication threats. Prevention is more cost-effective than negotiation.
- Healthcare and fintech face elevated risk. According to the ACSC's Annual Cyber Threat Report 2024–25, healthcare ransomware incidents doubled and financial services led critical infrastructure incidents at 32 per cent.
- Mandatory reporting is active from 1 January 2026. Entities with turnover over AUD $3 million must report ransomware payments to the ACSC within 72 hours — including payments made by insurers on their behalf.
- Your IR plan must be updated now. The 72-hour clock, insurer notification requirements, and NDB obligations must be pre-documented — not worked out during an active incident.
- Essential Eight Maturity Level 2 is the minimum defensible baseline. Immutable backups, phishing-resistant MFA, application control, and least privilege together address the dominant attack vectors in the current RaaS playbook.
Ransomware resilience is not achieved by deploying a single product or passing a single audit — it is a continuous programme of technical controls, tested processes, and regulatory readiness. CyberCorp's GRC and incident response specialists work with Australian organisations across healthcare, financial services, and critical infrastructure to build that resilience before a threat actor forces the issue. Schedule a GRC Assessment to evaluate your current Essential Eight maturity and ransomware readiness, or learn more about our Essential Eight compliance programme and managed security operations capabilities.
