From 30 May 2025, certain Australian businesses and organisations are now required to report any ransomware or cyber extortion payments to the Australian Signals Directorate (ASD) within 72 hours of the payment being made.

This mandatory reporting obligation applies to:

• Businesses with an annual turnover of $3 million or more
• Entities classified as critical infrastructure
• Government departments and agencies.

The requirement follows a growing concern over ransomware attacks and is designed to improve the nation’s visibility and response to cyber threats.

What must be reported

If a ransom is paid, whether by the organisation itself or via a third-party intermediary, a report must be submitted to the ASD within 72 hours. This report must include:

• Business and contact information
• The date and discovery of the incident
• Details of the vulnerability exploited
• The type or variant of ransomware or malware used
• Identity (if known) of the threat actor
• Amount paid
• All communications with the attacker.

It is important to note that reporting is only mandatory where a payment has been made. If a demand is received but no payment occurs, there is no obligation to report the incident under this regime.

The report must be done through the report page, provided by the ASD.

Compliance and penalties

The initial phase of the regime will focus on building awareness and encouraging voluntary compliance through to the end of 2025. However, businesses should still act diligently. Failure to report a ransom payment within the 72-hour timeframe may result in a civil penalty of up to A$19,800.

Over time, the Department will shift towards more active regulation and enforcement as organisations become familiar with the new requirement. For now, they have provided a fact sheet for a better understanding of reporting obligations.

Next steps for businesses

• Review your incident response plans to ensure they include this reporting obligation
• Identify internal roles responsible for cyber incident management and reporting
• Familiarise yourself with the ASD’s ransomware payment reporting portal
• Consider legal or cybersecurity advice to navigate reporting requirements and assess risk.

Mandatory ransomware payment reporting marks a significant step in strengthening Australia’s cyber resilience. Businesses are encouraged to act early, understand their obligations, and ensure they’re prepared should an incident occur.

Concerned about cyber security risks or compliance obligations? Contact our experienced risk specialists for tailored advice and support.