Ransomware in Australia: What Small Businesses Need to Know in 2025

Ransomware is one of the most destructive cyber threats facing Australian businesses today — and small businesses are firmly in the crosshairs. If you have heard the term but are not sure how it works or whether your business is at risk, this guide is for you.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that encrypts your files, making them completely inaccessible. The attacker then demands a ransom payment — typically in cryptocurrency — in exchange for the decryption key. Without that key, or a clean backup, your data may be unrecoverable.

Modern ransomware attacks often include a second threat: the attackers also steal your data before encrypting it, and threaten to publish it publicly if you do not pay. This is known as double extortion and is now common in attacks targeting businesses.

Why Small Businesses Are Targeted

There is a persistent myth that cybercriminals only go after large companies. The reality is quite different. Small businesses are attractive targets for several reasons:

• Weaker defences — smaller organisations typically lack dedicated security staff, enterprise-grade tools, and formal security policies
• Valuable data — even a small business holds customer records, financial data, and intellectual property that has real value
• Ability to pay — ransomware gangs calibrate their demands to what a business can realistically afford; demands against small businesses are often $5,000 to $50,000
• Automated attacks — many attacks use automated tools that scan the internet for vulnerable systems without any human involvement, meaning no business is too small to be noticed

In Australia, small businesses in healthcare, legal services, financial advice, construction, and retail have all been hit in recent years.

How Ransomware Attacks Happen

Understanding the entry points attackers use helps you close them. The three most common ways ransomware gets into a small business are:

Phishing Emails

A staff member receives an email that appears legitimate — a fake invoice, a shipping notification, a message from a supplier — and either clicks a malicious link or opens an infected attachment. This triggers the malware download. Phishing remains the most common initial access method.

Exposed Remote Desktop Protocol (RDP)

Many businesses use Remote Desktop Protocol to allow remote access to office computers. If RDP is accessible from the internet and protected only by a weak password (or no MFA), attackers can brute-force their way in and deploy ransomware manually. This is a very common attack vector that is completely preventable.

Unpatched Software

Attackers actively scan for systems running software with known vulnerabilities — outdated operating systems, unpatched applications, or old VPN appliances. If your systems are not regularly updated, attackers can exploit those vulnerabilities without any human involvement from your end.

What Happens During a Ransomware Attack

A typical ransomware attack unfolds in stages. The attacker gains access to your network, often spending days or weeks quietly moving through your systems before triggering the encryption. This means by the time you see the ransom note, the attacker has likely already been inside your network for some time.

When the ransomware is deployed, files across your systems are encrypted rapidly — often within hours. You will typically see a ransom note on your screen or in affected folders, with instructions for payment and a deadline. Meeting the deadline is presented as the only way to recover your data.

Should You Pay the Ransom?

The strong advice from the Australian Government, the Australian Signals Directorate, and cybersecurity professionals is: do not pay the ransom.

Here is why:

• Payment does not guarantee you will receive a working decryption key
• Paying marks you as a target who will pay, potentially inviting further attacks
• Some ransomware groups are on international sanctions lists, meaning payment could be illegal
• The ransom payment funds further criminal activity

If you have good, tested backups, you may be able to recover without paying at all. This is the most compelling reason to invest in backups before an attack occurs.

How to Protect Your Business

The good news is that the most effective defences are not expensive or technically complex.

Maintain Good Backups

Follow the 3-2-1 rule: keep three copies of your data, on two different types of media, with one stored offsite or in a separate cloud environment. Critically, test your backups regularly — a backup you have never restored from is not a backup you can rely on.

Enable MFA on Everything

Multi-factor authentication stops attackers who have stolen your password from logging in. Enable it on email, cloud services, remote access tools, and any system accessible from the internet.

Keep Software Up to Date

Enable automatic updates on operating systems and applications. Do not ignore prompts to update your software — many attacks exploit vulnerabilities that patches have already fixed.

Train Your Staff

Phishing remains the most common entry point. Regular, brief training on how to recognise suspicious emails significantly reduces the chance of a successful attack. You do not need expensive programs — even a monthly five-minute briefing helps.

Restrict Remote Access

If you use RDP or any remote access tool, ensure it is not exposed directly to the internet. Use a VPN with MFA to gate access. Disable RDP entirely if you do not use it.

What to Do If You Are Attacked

1. Disconnect affected devices immediately — unplug network cables or disable Wi-Fi to stop the spread. Do not turn off the machines.
2. Call your IT provider or an incident response specialist — do not try to fix it yourself
3. Do not pay the ransom before getting professional advice
4. Report to ReportCyber at cyber.gov.au — reporting helps the Australian Government track and respond to ransomware campaigns
5. Notify the OAIC if personal information has been compromised, as you may have obligations under the Notifiable Data Breaches scheme

The Bottom Line

Ransomware is a serious and growing threat to Australian small businesses. But it is also highly preventable. A relatively small investment in backups, MFA, patching, and staff awareness will protect the vast majority of businesses from the vast majority of attacks. Start with those basics — and make sure your backups work before you need them.