Ransomware Evolving Into A Board-Level Crisis for Australian Organisations           

In 2024, ransomware reached new levels of sophistication as it continued to evolve into a systemic threat — disrupting healthcare, finance, government, and critical infrastructure. This is no longer just an IT issue — it’s a material governance and operational risk demanding board oversight.

This blog dives into two of the key reasons for this change, Ransomware-as-a-Service and use of AI by attackers, and examines the implications for Australian organisations.

Ransomware-as-a-Service (RaaS) lowered the barrier for attackers by turning ransomware deployment into a plug-and-play criminal business model.

RaaS platforms allow affiliates — often with minimal hacking expertise — to “rent” ready-made ransomware tools and infrastructure from developers. These affiliates simply select a ransomware kit, customise their campaign, and launch attacks with step-by-step support. Much like SaaS in legitimate tech sectors, RaaS operates on a subscription or revenue-sharing model. Affiliates don’t need to invest in development — they just split ransoms with the developer, making cybercrime more accessible and appealing. Many RaaS providers offer user dashboards, victim tracking tools, negotiation portals, and even 24/7 support — all hosted on the dark web, often with anonymised crypto payment structures to evade law enforcement.

RaaS ecosystems are highly competitive, pushing developers to constantly improve payload evasion, encryption speed, and extortion techniques (e.g. double or triple extortion). This arms less sophisticated actors with highly advanced malware.

This model has enabled RaaS operators to scale their operations through global affiliate networks. This has led to a surge in volume and geographic reach of ransomware campaigns, many of which now target SMEs, local governments, schools, and hospitals — often under-defended sectors. What was once the domain of elite hackers is now available to almost anyone — exponentially increasing the risk surface for all organisations.

Threat actors are using AI to bypass defences and increase impact.

Artificial Intelligence (AI) is no longer just a tool for defenders — it is now being weaponised by cybercriminals to accelerate, scale, and refine ransomware attacks. Threat actors are leveraging AI to increase the precision, stealth, and overall effectiveness of their operations in ways that traditional security controls often struggle to detect or counter, transforming the cyber threat landscape.

One of the most prominent applications of AI in cybercrime is the generation of sophisticated phishing emails. Using natural language models, attackers can craft messages that closely mimic internal communications, often referencing real people, events, or even social media content. This not only improves the success rate of phishing campaigns but makes them harder for both users and automated email filters to detect. A phishing email today may be indistinguishable from an authentic message from a colleague or executive.

Beyond social engineering, AI is also enhancing the capabilities of the malware itself. Adaptive malware can adjust its behaviour in real time based on the environment it encounters. This might involve delaying execution to avoid triggering sandbox-based detection tools, or altering its attack path depending on system configurations. Such intelligent malware can selectively target high-value assets, encrypting only what is necessary to inflict maximum operational disruption.

Traditional security tools, such as antivirus programs and endpoint detection and response (EDR) platforms, are increasingly being bypassed through AI-driven techniques. Malware can analyse and respond to how defences react, enabling it to morph and evade detection. In effect, threat actors are using AI to “train” their malware against common security technologies, ensuring a higher chance of successful infiltration.

AI is also accelerating the discovery and exploitation of vulnerabilities. Automated tools can scan vast networks and systems to identify misconfigurations, outdated software, or zero-day vulnerabilities in a fraction of the time it would take human attackers. This allows cybercriminals to act rapidly, often before patches can be applied or defences updated.

In addition to system-level exploitation, AI is being used in more manipulative forms of social engineering. Synthetic voice recordings and deepfake videos now allow attackers to convincingly impersonate executives or other trusted individuals. These tools have been used in vishing attacks, fraudulent authorisations, and to add credibility to extortion attempts. An AI-generated voice clone of a CEO requesting an urgent transfer can be highly persuasive and extremely difficult to verify in the moment.

AI also makes it easier to scale attacks. Automation allows cybercriminals to conduct credential stuffing, lateral movement, and privilege escalation at speeds and volumes previously unachievable. This enables smaller, less resourced groups to launch large-scale campaigns without the need for extensive infrastructure or expertise.

In 2024, Australian organisations were squarely in the crosshairs.

Whereas globally, ransomware attacks rose 11% in 2024, Australia experienced a more significant surge in ransomware attacks, with the number of incidents increasing by 18% compared to the previous year. This escalation positioned Australia among the top 10 countries globally targeted by ransomware, accounting for 2% of all recorded attacks. ​

In Australia, we saw increased targeting of under-resourced sectors like education, local government, and small health providers. The financial impact on Australian organisations was substantial. The average ransom payment escalated to approximately AU$9.27 million, a significant increase from the previous year and notably higher than the global average. Beyond ransom payments, the average cost for Australian organisations to recover from ransomware attacks—including expenses related to downtime, data restoration, and reputational damage—rose to about AU$3.66 million, up from AU$2.66 million in 2023. Threat actors often deploy triple extortion — encrypting data, threatening public exposure, and disrupting customers and partners.

Major Australian Data Breaches in 2024:

Increased scrutiny on Australian Boards of Directors

In summary, the use of RaaS and AI by threat actors is transforming the cyber threat landscape. What once required advanced skills and weeks of manual effort can now be done in hours with minimal input.

ASIC has increased the onus on Boards to oversee that effective cyber security practices are established and maintained within an organisation. To quote Joe Longo, Chair of ASIC:

Cyber preparedness is not simply a question of having impregnable systems – that is not possible. Instead, whilst preparedness must include security, it must also involve resilience, meaning the ability to respond to weather a significance cyber security incident. This can only be built on thorough and comprehensive planning for significant cyber incidents.

To stay ahead, organisations must adapt their defences by incorporating AI-enabled threat detection, adopting a zero-trust architecture, and fostering a strong culture of cyber awareness across all levels of the business. As attackers become more intelligent, so too must our defences. For Australian Boards, the implications are clear. The key to improving cyber security resilience lies in adopting a proactive, layered approach to security. Organisations must invest in advanced security technologies, implement robust security policies, and foster a culture of security awareness:

2024 was a warning. 2025 demands action. CyBiz works with Sygnia to educate and train Board members on the high impact thought processes, dilemmas and critical decision-making they would face in a significant cyber security incident, so as to improve their competencies and experience in the event that their organisation experiences a major disruptive cyber incident.

Contact CyBiz now to discuss how CyBiz can help improve your organisation’s resilience to respond to and weather a significance cyber security incident.