IronSights
All insights

threat intelligence

Ransomware Is Rising in Australia, and SMEs Are the Soft Target

Pure ransomware victimisation in Australia rose from 2.5 to 3.2 percent in a single year. SME malware victimisation sits at 31.5 percent, well above the general population. Here's what the AIC data says about why small businesses are the target, and what actually helps.

By IronSights Editorial, Practitioner team9 July 20263 min read
ByIronSights Editorial9 July 20263 min read

Pure victimisation in Australia rose from 2.5 to 3.2 percent of respondents between the 2024 and 2025 AIC surveys. The also recorded more ransomware incidents over the same period. Same direction, two different data sources.

Ransomware-related data theft and extortion (criminals steal your data and threaten to publish it, sometimes without locking anything) accounted for another 3.1 percent of respondents. In total, 5.8 percent of Australians surveyed received a ransom message on their device in the past year.

If you run an SME, your numbers are worse

SME owners and managers were more likely than other employed Australians to be victimised across every crime category the survey measured. For , 31.5 percent of SME respondents were victims in the past 12 months. For other workers, 20.4 percent.

One in four SME respondents said cybercrime had negatively impacted their business in the past year:

  • Operations disrupted: 28.7%
  • Extra expenses incurred: 16.4%
  • Business information lost: 15.9%
  • Reputation or revenue damaged: 14.1%
  • Staff impacts (people leaving or losing jobs): 10.0%, up from 5.9%
  • Legal or regulatory issues: 7.9%, up from 5.1%

That last two are worth pausing on. Staff impacts have nearly doubled year on year. Legal exposure is heading the same direction. These aren't just IT problems. They're liability problems.

Why SMEs get targeted

The math for ransomware groups is straightforward: sensitive data, high recovery cost, reasonable chance of payment. SMEs meet all three. Client records, financial data, years of working files are all worth encrypting. Recovery without tested backups takes weeks. And for a business that can't be offline for a month, paying can feel like the rational call.

Large enterprise security teams can respond to ransomware in hours. Most SMEs are working with IT generalists or MSPs managing many clients at once. That response gap is what determines whether an incident is contained or catastrophic.

The backup problem

The AIC survey found online safety behaviours fell for the second consecutive year. Fewer Australians are running antivirus, using different passwords, or being careful with links. On ransomware specifically, backup quality is what matters most.

Having a backup is not the same as having a working one. Backups stored on the same network can be encrypted in the same attack. Backups that haven't been tested might not restore cleanly. What you need is an offline or immutable copy, tested at least quarterly, that ransomware can't reach.

The relevant controls

Three address the most common ransomware vectors directly: patch applications, patch operating systems, regular offline backups. Application control adds another layer: even if works and a malicious file lands, it can't execute. The ASD has recently announced plans to retire the Essential Eight framework, but the underlying controls remain sound guidance regardless of the framework that wraps them.

For SMEs without a security team, 1 across all eight controls is a realistic starting point. Not a checkbox exercise. It closes the gaps attackers reliably look for. The AIC data makes the direction clear: ransomware is rising, SMEs are taking more of the hit, and the consequences when incidents occur are getting worse year on year.

Keep reading

More from the IronSights team.