The industry speaks: International Anti-ransomware Day 2025

• A staggering 79 per cent of Australian businesses experienced at least one ransomware incident over the past year.
• Sixty-four per cent had to shut down operations after an attack.  
• Ransomware attacks impacted 28 per cent of critical systems, with local systems down for 12 hours on average.
• The average ransom demand equated to US$437,800.
• Ransomware took an average of 134 hours and 17 people to contain and remediate.
• Costs associated with reputation and brand damage now exceed those from legal and regulatory actions; 39 per cent experienced significant brand damage from an attack.

These numbers paint a clear picture: ransomware isn’t just an IT issue – it’s a business crisis. Ignoring the threat means gambling with your operations, reputation, and bottom line.

Dennis Fisher
Security journalist at Censys

Ransomware began as an annoyance, a new tactic employed by a small number of cyber criminals to scare individual consumers into handing over a few dollars or an iTunes gift card in return for unlocking their browser or decrypting their files. Since then, it has rapidly evolved into a multifaceted threat that is not just at or near the top of the priority list for every enterprise security team but is also a national security issue for countries around the globe.

Ransomware infections have caused billions of dollars in damages and financial losses for small businesses, enterprises, and government agencies, and even the most well-prepared and mature security organisations are not immune from the specter of these attacks. As recent history has shown us, preparedness and awareness will only get us so far in the fight against ransomware. To truly break the model that has become so profitable for ransomware gangs, governments, researchers, and defenders must work together to disrupt the payment ecosystem that the ransomware gangs rely on. Without the ability to receive and shift their ransom payments through the global financial system, these gangs would lose their incentive to deploy ransomware. There have been some significant and notable successes in retrieving ransoms and stolen funds in recent years, but these are mostly one-off operations. A concerted and strategic global effort to address the payment problem is our best chance to end the ransomware era for good.

VIEW ALL

Sam Salehi
Managing director ANZ at Qualys

As threat actors move faster and AI amplifies the speed and precision of attacks, organisations must evolve how they manage and reduce risk over time. The era of “patch when you can” is over. Traditional, reactive vulnerability management is no longer fit for purpose.

To stay ahead, businesses need a central, strategic view of their cyber risk posture. A dedicated Risk Operations Centre (ROC) provides this visibility – bringing together data from across the enterprise and translating it into meaningful, business-aligned insights. This enables business leaders to proactively manage risk based on impact, likelihood and cost, rather than reactive guesswork.

Effective risk management also can’t happen in silos. When security, IT, compliance, and business departments operate in lockstep, they can identify and prioritise the most critical assets, strengthen resilience, and deliver measurable outcomes. The ability to consolidate, interpret and act on risk data across the organisation is now a competitive advantage.

Adrian Briscoe
Business development manager, Asia-Pacific and Japan, at DriveSavers Data Recovery

Nearly 40 per cent of small businesses have reported losing crucial data as a result of an attack. Cyber criminals have escalated their attacks on small and medium-sized businesses, with incidents surging by 32 per cent in late 2024, according to a recent report by Corvus Insurance.

Paying the ransom provides no assurance of successful data recovery. Cyber criminals specialise in encryption and extortion, not in developing flawless decryption tools. According to research from Sophos, only 8 per cent of businesses fully recover their data, even after meeting ransom demands.

While off-the-shelf and free internet recovery tools can address some basic data loss scenarios, they typically prove inadequate when confronting more sophisticated cyber incidents. Providers that develop proprietary recovery tools achieve far greater success in complex cases.

Effective data recovery following cyber attacks is not just about tools – it requires expertise across diverse technologies, operating systems, and applications to understand the many ways data is structured and stored. This deep technical knowledge can only be acquired through years of experience and exposure to numerous complex data loss scenarios. Integrating this broad expertise and deep technical experience into a scientific process, combined with robust tools, creates the foundation for developing the most effective recovery solutions possible for each unique case.

Ultimately, when selecting a data recovery partner following a cyber event, prioritise providers with strong in-house software development capabilities who can customise solutions to your specific situation rather than relying solely on standardised approaches.

Steve Wilson
Chief AI and product officer at Exabeam

Ransomware is no longer just a criminal enterprise – it’s a fully weaponised business model, evolving faster than most security teams can track. The rise of generative AI has only accelerated this evolution. Ransomware groups are using it to scale attacks, craft convincing phishing lures, and even automate negotiation scripts in real time. What once took weeks of human effort can now be executed in hours with minimal oversight.

With ransomware actors now wielding AI as a force multiplier, the security industry can’t afford to stay in “wait and see” mode. We need to embrace bold, transformative approaches – automating where we can, accelerating what we must, and applying human judgement where it matters most.

That’s where agentic AI comes in. These systems do more than detect – they reason, act, and adapt. They can sift through thousands of signals in real time, initiate investigations, and take action to contain threats before damage spreads. When integrated into security operations, agentic AI gives security teams the ability to investigate and respond in real time, not after the damage is done.

Ultimately, if we’re serious about resilience, we need to be equally aggressive in our adoption of agentic AI across detection, triage, and containment. The goal isn’t just faster response – it’s fewer decisions made under pressure, and more time spent proactively managing risk, not reacting to it.

Brett Williams
Solution engineering manager at SentinelOne

Today, attackers exploit vulnerabilities, encrypt critical data, and demand ransom payments, often leaving organisations with financial losses and reputational damage. At the same time, threat actors often strike outside ’business hours’. Almost every business is now online 24/7, but many systems remain monitored only during the standard eight-hour window. It’s a sad reality, but due diligence (and often insurance) now dictates 24/7 monitoring to reduce the risk of ransomware.

Moreover, the use of ransomware-as-a-service (RaaS) platforms has expanded in recent years, enabling less technically skilled actors to launch effective attacks. Attackers are increasingly bypassing traditional security solutions by exploiting both old and new vulnerabilities, and using legitimate administrative tools installed on endpoints while shifting towards double and even triple extortion tactics.

Beyond encrypting data, threat actors now exfiltrate sensitive information and threaten to leak it unless ransom demands are met, often targeting victims’ customers or partners to increase pressure.

As these attacks grow more sophisticated, a proactive, multi-layered defence is the only way to stay ahead. Enterprises must regularly update software, enforce least privilege access, back up data securely, and deploy AI-driven threat detection to mitigate risks. Employee awareness is just as critical. With phishing remaining a top ransomware delivery method, security training is a must.

Stephen Kowski
Field CTO at SlashNext Email+ Security

Ransomware attacks almost always start with a sneaky message - like a fake email, text, or even a voice call - that tricks someone into clicking a link or opening an attachment. Today’s scammers use advanced tricks, including AI-generated messages and deepfakes, to make these scams look and sound real. That’s why it’s so important to stop these threats before they ever reach your team. Using security that can spot and block phishing across email, mobile apps, and even messaging platforms is one of the smartest moves you can make.

On top of that, teaching everyone what these scams look like helps people think twice before clicking. If you combine smart technology with good training, you can stop most ransomware attacks before they even start. In the end, it’s about making sure your defences work where the attacks begin - right at the first message. That way, you can spend less time worrying and more time getting things done.

Kern Smith
VP of Global Solutions at Zimperium

As ransomware threats evolve, mobile devices have become the next frontier. Cyber-criminals are increasingly targeting smartphones and tablets with mishing (mobile-targeted phishing) attacks, and exploiting vulnerabilities in apps and operating systems. Yet, many organisations still overlook mobile as a critical attack vector.

Traditional security tools aren't enough. Real-time, on-device protection designed for mobile threats is essential. It's no longer just about protecting desktops - securing mobile environments is key to staying ahead of today’s ransomware tactics.

Saeed Abassi
Manager, Vulnerability Research at Qualys Threat Research Unit

In this rapidly evolving cyber security environment, understanding the nuances of ransomware attacks and the underlying vulnerabilities they exploit is crucial for building robust defense strategies. Anti-Ransomware Day is an important reminder of the urgent need to stay ahead of these advancing threats. Today’s ransomware attacks are more diverse than ever, impacting everything from operating systems to web applications and networking infrastructure. In recent years, genAI has accelerated this shift, lowering technical barriers and enabling cyber-criminals to discover and exploit vulnerabilities more easily, leading to more frequent and sophisticated attacks.

The recent leak of internal communications from the ransomware group Black Basta provided a rare inside look at the layered techniques these actors employ, from credential theft and exploitation of exposed services to the use of legitimate platforms for payload hosting and voice phishing. Ransomware groups are moving faster than ever, often escalating from initial access to full network compromise within hours, leaving defenders little time to respond.

To defend against these accelerating threats, organisations must adopt a proactive and informed cyber security strategy. Immediate patching of known exploited vulnerabilities is critical. Patch management must be treated not just as a maintenance function but as a frontline defense mechanism that closes vulnerabilities before attackers can gain a foothold. A high patch rate ensures quick and efficient response, significantly reducing the risk of a breach, while a low patch rate leaves organisations exposed. Beyond routine patching, organisations should adopt risk-based prioritisation, proactively address vulnerabilities with known exploitation histories, eliminate common misconfigurations, and maintain continuous visibility into all internet-facing assets. Implementing multi-layered defense strategies that address each stage of an attack, from initial access to data exfiltration, is now essential for building resilience against ransomware.

In summary, ransomware is a digital pandemic - traditional defences are just masks, not armor. To fight back, we need to be proactive and utilise risk-based prioritisation; it isn’t a defense - it's a counterstrike. By embracing this mindset and implementing the above-mentioned strategies, organisations can strengthen their defences and stay ahead of the ever-evolving ransomware threat.

Heath Renfrow
Co-founder and CISO at Fenix24

While encryption algorithms and file recovery often steal the spotlight in ransomware discussions, the real impact goes far deeper. Ransomware is not just a data issue - it’s a full-scale business operations crisis with consequences that extend well beyond the digital domain.

If your backup system isn’t isolated, monitored, and tested against ransomware, it’s not a backup - it’s a liability. Ransomware exploits operational silos, making rapid detection, coordinated response, and intelligent recovery essential. Only through integrated cyber security frameworks and real-time threat intelligence can organisations truly defend and recover.

Anti-Ransomware Day is a powerful reminder: the focus must shift from prevention alone to resilience. Modern recovery requires more than incident response - it demands resilient infrastructure, automated failover, strong restoration capabilities, and speed. The goal isn’t just avoiding ransom payments - it’s minimising downtime, protecting reputation, and ensuring operational continuity.

John Anthony Smith
Founder and CSO at Fenix24

On Anti-Ransomware Day, it's crucial for organisational leadership to recognise that traditional disaster recovery plans, procedures, and technical measures often fail in the face of ransomware attacks. Fenix24’s research has found that 84 per cent of critical backups do not survive threat actors’ behavior. Why? Because these systems and plans are frequently destroyed by the mass destructive behaviors of threat actors.

While there are practice environments security teams can administer, like tabletop exercises, they typically do not prepare organisations for the realities of mass destruction. These exercises often make flawed assumptions about the survivability of recovery systems and are based on limited contexts, leaving organisations unprepared for the complete destruction of all systems.

Without understanding the breach context, specifically what and how threat actors operate, it is impossible to harden, manage, and maintain backup systems that are both survivable and timely recoverable. While most organisations are over-investing in prevention, they largely ignore recovery. The ultimate determinant of survival hinges not on avoiding the initial breach but on the speed and efficacy of restoring operations. The chosen recovery strategy, assuming backup and recovery methods survive, is the single most important decision leadership will make during a mass destruction event.

Let Anti-Ransomware Day serve as an urgent reminder for leaders to prioritise the development and implementation of robust recovery strategies. Ensuring our organisations are thoroughly prepared is paramount in mitigating the potentially devastating impacts of ransomware attacks.

Chad Cragle
CISO at Deepwatch

Ransomware remains one of the most disruptive threats to modern institutions, whether you’re running a business, a hospital, a school, city infrastructure, or anything in between. Anti-Ransomware Day reminds us of past crises like WannaCry, but the stakes have only grown. Today’s attacks are faster, more calculated, and built to cause maximum disruption. It’s not just about encrypting data, it’s about shutting down operations and exploiting any opportunities. That’s why modern defence strategies must include always-on visibility, rapid containment, and tested recovery protocols. Services like Managed Detection and Response play a central role in that strategy, providing 24/7 threat monitoring and expert-led action when every second counts.

This isn’t just about awareness; it’s about readiness. Ransomware is a business risk, a public safety issue, and a critical infrastructure threat all rolled into one. And it doesn’t care if you’re understaffed, underfunded, or still waiting on that “next quarter” security upgrade. Anti-Ransomware Day should serve as more than a reminder, it’s a prompt to ask whether your organisation is ready to respond today, not someday.

Erich Kron
Security Awareness Advocate at KnowBe4

Ransomware continues to be one of the most disruptive threats facing organisations today, and International Ransomware Day is a critical reminder that no business, large or small, is immune. Attackers are not just locking up data anymore, they are stealing it, leaking it, and extorting victims in more sophisticated ways than ever before.

But the root of the problem often is not with technology but with people. When someone clicks on a malicious link, falls for a phishing email, or uses weak passwords, it can open the door to chaos, meaning human risk management is not optional, it is essential. In fact, KnowBe4 reports that 68 per cent of all data breaches are caused by human error.

By building a strong security culture from the inside out, through real-world simulated phishing attacks and engaging security awareness training, organisations can empower people to become a critical part of their defence strategy.