McGrathNicol’s latest ransomware survey shows a continued decline in ransom payments by Australian organisations, even as attack volumes remain high and smaller businesses continue to face disproportionate risk.
The 2025 report, released on 13 November, found that 69 per cent of business leaders have experienced a ransomware incident in the past five years, with SMEs accounting for the majority of recent victims.
The survey, conducted with YouGov and based on responses from more than 800 decisionmakers in companies with 50 or more employees, indicates that 64 per cent of those hit by ransomware chose to pay—down from 84 per cent in 2024. The average ransom payment has also almost halved, falling to $711,000 from last year’s peak of $1.35 million. The amount organisations say they would be willing to pay has similarly decreased, dropping to $906,000 from $1.42 million.
McGrathNicol says the trend reflects a combination of factors: reduced insurance coverage for ransomware-related losses, growing regulatory scrutiny, greater reputational risk and a shift away from viewing payment as an acceptable recovery strategy. Improved preparedness, including incident response planning and increased board-level engagement, is also contributing to the decline.
Darren Hopkins (pictured), Head of Cyber at McGrathNicol, commented: “SMEs continue to bear the brunt of ransomware attacks. Without dedicated resources and cyber teams, many SMEs are vulnerable to being seen as “soft targets” by cyber criminals, and we are working closely with our clients, industry partners and government to share threat intelligence and respond effectively.”
“Paying a ransom does not guarantee data recovery nor does it prevent future attacks. We know that one in five respondents have experienced multiple ransomware attacks regardless of payment.”
“At the larger end of town, those in businesses earning $10 million plus are more likely to say they are “very prepared” for a ransomware attack, but we urge executives not to become complacent.”
Despite this, SMEs remain a primary target. Eighty-nine per cent of organisations attacked in the past 12 months were small or medium-sized businesses, and many lack dedicated cybersecurity staff. McGrathNicol partner Darren Hopkins said this makes them particularly vulnerable. He noted that one in five organisations surveyed reported experiencing multiple ransomware incidents regardless of whether a ransom was paid.
Larger companies reported higher levels of confidence, with those earning more than $10 million annually more likely to consider themselves “very prepared” for an attack. However, the report warns against complacency, with more than half of breached organisations saying the attack caused severe or significant impacts to their supply chains.
The research also shows strong support for Australia’s new mandatory ransomware reporting requirements under the Cyber Security Act 2024, which came into effect in May. Seventy-one per cent of business leaders believe reporting should be compulsory, rising to 76 per cent among those that have experienced an attack. Respondents said mandatory reporting improves information sharing, visibility and collective resilience.
McGrathNicol says the findings highlight the importance of continued investment in prevention, threat detection and incident response capabilities, noting that ransom payment cannot guarantee data recovery or protection from future attacks.
You can read the full report here.
Darren Hopkins (pictured), Head of Cyber at McGrathNicol, commented: “SMEs continue to bear the brunt of ransomware attacks. Without dedicated resources and cyber teams, many SMEs are vulnerable to being seen as “soft targets” by cyber criminals, and we are working closely with our clients, industry partners and government to share threat intelligence and respond effectively.”
