Ransomware Protection for Australian Businesses: What Actually Works
In 2024, the ACSC reported that ransomware was the most commonly reported cyber crime affecting Australian businesses. It’s not just large corporations either—SMBs are increasingly targeted because they’re seen as easier targets and more likely to pay quickly.
The approach most SMBs take is backwards. They buy expensive antivirus, install fancy security tools, and hope for the best. Then when ransomware hits, they realise those tools didn’t prevent it. The attacker knew exactly which files to encrypt and had admin access.
The Australian Ransomware Landscape: What You’re Up Against
Commodity ransomware: The attacker compromises a server or access point using a vulnerability or stolen password, installs ransomware, and encrypts everything. This is the most common type affecting SMBs.
Targeted ransomware: The attacker spends weeks inside your network, finding valuable data and understanding your business. Then they encrypt everything and threaten to sell your data publicly.
Supply chain ransomware: The attacker compromises a vendor you use and gets access to all their customers at once. This is especially hard to defend against because the vulnerability isn’t in your systems.
Most Australian SMBs are hit by commodity ransomware—the fastest type to prevent, thankfully.
Why Antivirus Isn’t Enough
Modern ransomware often arrives through a compromised user account or a vulnerability in internet-facing software. It runs with the permissions of that account, encrypts files they can access, and the antivirus never sees malicious code (it’s using legitimate Windows commands).
The Controls That Actually Stop Ransomware
1. Application Control — Ransomware is usually delivered as an executable file. Application control blocks anything not on your approved list from running, regardless of how it arrives or what user runs it.
2. Admin Privileges — Ransomware spreads through a network by escalating privileges. If your users don’t have admin access, ransomware can only encrypt files that user can access.
3. Patching — Many ransomware attacks exploit known vulnerabilities. If you patch your systems within 48 hours of critical patches being released, most ransomware can’t get in the door.
4. Backups — If ransomware encrypts your data but you have backups that aren’t connected to your main systems, you restore from the backup and move on. Backups need to be truly separate.
5. Multi-Factor Authentication — If a user’s password is stolen and MFA is enabled, the attacker can’t log in without the user’s phone or security key.
6. Monitoring and Logging — Monitoring doesn’t prevent ransomware, but it lets you detect it early. If you notice that someone just bulk-modified 10,000 files, that’s ransomware.
7. Email Security — Most ransomware arrives by email. Email filtering and phishing detection reduce the number of malicious emails that reach users.
The Specific Configuration That Works Best for SMBs
- MFA: Mandatory for all cloud accounts and all remote access
- Patching: Critical patches within 48 hours, other patches monthly
- Backups: Cloud backups (separate from your main infrastructure), tested monthly
- Admin privileges: Removed from regular staff, limited to IT staff and service accounts
- Application control: Prevent users from installing software
- Email security: Basic filtering + phishing detection
- Monitoring: Alert on unusual activity
What to Do If You’re Hit: The Response Plan
Minute 1: If you detect ransomware (lots of files changing, ransom note appearing), isolate the affected systems immediately.
Minute 2: Don’t panic. Ransom notes are designed to pressure you into quick decisions. You have time to think.
Minutes 5–15: Contact your IT provider or IT staff. If you don’t have one, contact the ACSC for guidance.
Hour 1: Preserve evidence. Don’t touch infected systems more than necessary. Document what happened and when.
Hour 1–2: Assess the damage. How many systems are affected? Which files are encrypted? Do your backups work?
Hour 2–4: If backups work, restore from them. Disconnect restored systems from the network until they’re confirmed clean.
Should You Pay the Ransom?
A layered defence is the only approach that works. TechAssist’s ransomware protection services combine endpoint detection, network segmentation, immutable backups, and staff training into a single managed package.
Related reading: Essential Eight controls | endpoint protection | keep systems updated
Reasons not to pay:
- Paying doesn’t guarantee you get a working decryption key.
- Paying funds criminal operations and makes you a target for future attacks.
- Paying is often illegal. Some attackers are sanctioned.
- Your insurance may not cover losses if you paid without authorization.
- The attacker has exfiltrated your data. Paying doesn’t delete it.
- You’re negotiating with criminals.
The real prevention is having backups so solid that ransom is irrelevant. If you can restore in 4 hours, the attacker’s threat has no teeth.
Reporting to Authorities and Insurance Implications
You should report ransomware to: the ACSC, your state police cyber crime unit, and your cyber insurance company (if you have one).
Cyber insurance can cover ransomware losses. Coverage typically includes ransom payments, data recovery costs, business interruption losses, and legal/forensic costs. But cyber insurance is increasingly expensive and selective. Check your policy and know what’s covered.
More importantly: insurance doesn’t prevent ransomware. It softens the financial blow if prevention fails. Your primary focus should be prevention.
Ransomware and Essential Eight Maturity
Implementation of Essential Eight controls prevents the vast majority of ransomware attacks. You don’t need to be at Level 4 (optimised) on every control. Level 2 (managed) across all eight controls is enough to stop most commodity ransomware.
The Hard Truth About Ransomware
Ransomware isn’t going away. The economics are too good for attackers. Your job isn’t to reach zero risk. It’s to be a harder target than your competitors, to detect attacks early, and to have backups solid enough that the attacker’s threat means nothing.
