Pure victimisation in Australia rose from 2.5 to 3.2 percent of respondents between the 2024 and 2025 AIC surveys. The also recorded more ransomware incidents over the same period. Same direction, two different data sources.
Ransomware-related data theft and extortion (criminals steal your data and threaten to publish it, sometimes without locking anything) accounted for another 3.1 percent of respondents. In total, 5.8 percent of Australians surveyed received a ransom message on their device in the past year.
If you run an SME, your numbers are worse
SME owners and managers were more likely than other employed Australians to be victimised across every crime category the survey measured. For , 31.5 percent of SME respondents were victims in the past 12 months. For other workers, 20.4 percent.
One in four SME respondents said cybercrime had negatively impacted their business in the past year:
- Operations disrupted: 28.7%
- Extra expenses incurred: 16.4%
- Business information lost: 15.9%
- Reputation or revenue damaged: 14.1%
- Staff impacts (people leaving or losing jobs): 10.0%, up from 5.9%
- Legal or regulatory issues: 7.9%, up from 5.1%
That last two are worth pausing on. Staff impacts have nearly doubled year on year. Legal exposure is heading the same direction. These aren't just IT problems. They're liability problems.
Why SMEs get targeted
The math for ransomware groups is straightforward: sensitive data, high recovery cost, reasonable chance of payment. SMEs meet all three. Client records, financial data, years of working files are all worth encrypting. Recovery without tested backups takes weeks. And for a business that can't be offline for a month, paying can feel like the rational call.
Large enterprise security teams can respond to ransomware in hours. Most SMEs are working with IT generalists or MSPs managing many clients at once. That response gap is what determines whether an incident is contained or catastrophic.
The backup problem
The AIC survey found online safety behaviours fell for the second consecutive year. Fewer Australians are running antivirus, using different passwords, or being careful with links. On ransomware specifically, backup quality is what matters most.
Having a backup is not the same as having a working one. Backups stored on the same network can be encrypted in the same attack. Backups that haven't been tested might not restore cleanly. What you need is an offline or immutable copy, tested at least quarterly, that ransomware can't reach.
The relevant controls
Three address the most common ransomware vectors directly: patch applications, patch operating systems, regular offline backups. Application control adds another layer: even if works and a malicious file lands, it can't execute. The ASD has recently announced plans to retire the Essential Eight framework, but the underlying controls remain sound guidance regardless of the framework that wraps them.
For SMEs without a security team, 1 across all eight controls is a realistic starting point. Not a checkbox exercise. It closes the gaps attackers reliably look for. The AIC data makes the direction clear: ransomware is rising, SMEs are taking more of the hit, and the consequences when incidents occur are getting worse year on year.



