Ransomware Evolving Into A Board-Level Crisis for Australian Organisations           

In 2024, ransomware reached new levels of sophistication as it continued to evolve into a systemic threat — disrupting healthcare, finance, government, and critical infrastructure. This is no longer just an IT issue — it’s a material governance and operational risk demanding board oversight.

This blog dives into two of the key reasons for this change, Ransomware-as-a-Service and use of AI by attackers, and examines the implications for Australian organisations.

Ransomware-as-a-Service (RaaS) lowered the barrier for attackers by turning ransomware deployment into a plug-and-play criminal business model.

RaaS platforms allow affiliates — often with minimal hacking expertise — to “rent” ready-made ransomware tools and infrastructure from developers. These affiliates simply select a ransomware kit, customise their campaign, and launch attacks with step-by-step support. Much like SaaS in legitimate tech sectors, RaaS operates on a subscription or revenue-sharing model. Affiliates don’t need to invest in development — they just split ransoms with the developer, making cybercrime more accessible and appealing. Many RaaS providers offer user dashboards, victim tracking tools, negotiation portals, and even 24/7 support — all hosted on the dark web, often with anonymised crypto payment structures to evade law enforcement.

RaaS ecosystems are highly competitive, pushing developers to constantly improve payload evasion, encryption speed, and extortion techniques (e.g. double or triple extortion). This arms less sophisticated actors with highly advanced malware.

This model has enabled RaaS operators to scale their operations through global affiliate networks. This has led to a surge in volume and geographic reach of ransomware campaigns, many of which now target SMEs, local governments, schools, and hospitals — often under-defended sectors. What was once the domain of elite hackers is now available to almost anyone — exponentially increasing the risk surface for all organisations.

Threat actors are using AI to bypass defences and increase impact.

Artificial Intelligence (AI) is no longer just a tool for defenders — it is now being weaponised by cybercriminals to accelerate, scale, and refine ransomware attacks. Threat actors are leveraging AI to increase the precision, stealth, and overall effectiveness of their operations in ways that traditional security controls often struggle to detect or counter, transforming the cyber threat landscape.

One of the most prominent applications of AI in cybercrime is the generation of sophisticated phishing emails. Using natural language models, attackers can craft messages that closely mimic internal communications, often referencing real people, events, or even social media content. This not only improves the success rate of phishing campaigns but makes them harder for both users and automated email filters to detect. A phishing email today may be indistinguishable from an authentic message from a colleague or executive.

Beyond social engineering, AI is also enhancing the capabilities of the malware itself. Adaptive malware can adjust its behaviour in real time based on the environment it encounters. This might involve delaying execution to avoid triggering sandbox-based detection tools, or altering its attack path depending on system configurations. Such intelligent malware can selectively target high-value assets, encrypting only what is necessary to inflict maximum operational disruption.

Traditional security tools, such as antivirus programs and endpoint detection and response (EDR) platforms, are increasingly being bypassed through AI-driven techniques. Malware can analyse and respond to how defences react, enabling it to morph and evade detection. In effect, threat actors are using AI to “train” their malware against common security technologies, ensuring a higher chance of successful infiltration.

AI is also accelerating the discovery and exploitation of vulnerabilities. Automated tools can scan vast networks and systems to identify misconfigurations, outdated software, or zero-day vulnerabilities in a fraction of the time it would take human attackers. This allows cybercriminals to act rapidly, often before patches can be applied or defences updated.

In addition to system-level exploitation, AI is being used in more manipulative forms of social engineering. Synthetic voice recordings and deepfake videos now allow attackers to convincingly impersonate executives or other trusted individuals. These tools have been used in vishing attacks, fraudulent authorisations, and to add credibility to extortion attempts. An AI-generated voice clone of a CEO requesting an urgent transfer can be highly persuasive and extremely difficult to verify in the moment.

AI also makes it easier to scale attacks. Automation allows cybercriminals to conduct credential stuffing, lateral movement, and privilege escalation at speeds and volumes previously unachievable. This enables smaller, less resourced groups to launch large-scale campaigns without the need for extensive infrastructure or expertise.

In 2024, Australian organisations were squarely in the crosshairs.

Whereas globally, ransomware attacks rose 11% in 2024, Australia experienced a more significant surge in ransomware attacks, with the number of incidents increasing by 18% compared to the previous year. This escalation positioned Australia among the top 10 countries globally targeted by ransomware, accounting for 2% of all recorded attacks. ​

In Australia, we saw increased targeting of under-resourced sectors like education, local government, and small health providers. The financial impact on Australian organisations was substantial. The average ransom payment escalated to approximately AU$9.27 million, a significant increase from the previous year and notably higher than the global average. Beyond ransom payments, the average cost for Australian organisations to recover from ransomware attacks—including expenses related to downtime, data restoration, and reputational damage—rose to about AU$3.66 million, up from AU$2.66 million in 2023. Threat actors often deploy triple extortion — encrypting data, threatening public exposure, and disrupting customers and partners.

Major Australian Data Breaches in 2024:

• MediSecure: In April 2024, electronic prescription service provider MediSecure suffered a massive data breach affecting approximately 12.9 million Australians. Hackers encrypted a database server with suspected ransomware, stealing 6.5 terabytes of data, including full names, phone numbers, addresses, Medicare numbers, and prescribed medications.​ MediSecure reveals about 12.9 million Australians had personal data stolen by hackers in April – The Guardian
• Women’s and Children’s Hospital, Adelaide: A ransomware attack on March 22, 2025, impacted over 2,200 patients. The breach affected software provided by Compumedics, a third-party contractor, leading to the exposure of clinical study notes dating back to 2018. ​ ‘Dark web’: Major data breach for Aussie sleep study patients – news.com.au
• Bloom Hearing Specialists: In July 2024, tens of thousands of patients, primarily older Australians, were affected by a ransomware attack on Bloom Hearing Specialists. Stolen data included names, addresses, contact information, dates of birth, gender, health and insurance information, bank details, Medicare and Centrelink numbers, and driver’s licence details. ​Courier Mail Bloom Hearing Specialists Breach
• Western Sydney University: In May 2024, the university disclosed a data breach affecting 7,500 individuals. The breach involved unauthorized access to email accounts, SharePoint files, and the Microsoft Office 365 environment. ​ Cyber Incident | Western Sydney University
• Total Tools: The hardware chain experienced a significant data breach affecting approximately 38,000 customers. Sensitive customer information, including names, email addresses, credit card data, login details, mobile numbers, and shipping addresses, was compromised. Data leak at Metcash-owned Total Tools hardware chain – The Australian
• NSW Department of Communities and Justice: A significant data breach occurred in the department’s Online Registry website, where an unknown hacker accessed at least 9,000 sensitive court documents, including apprehended violence orders. Authorities are investigating the breach, which has raised concerns about the safety of domestic violence survivors. NSW Police investigating ‘significant’ Department of Communities and Justice data breach – Cyber Daily

Increased scrutiny on Australian Boards of Directors

In summary, the use of RaaS and AI by threat actors is transforming the cyber threat landscape. What once required advanced skills and weeks of manual effort can now be done in hours with minimal input.

ASIC has increased the onus on Boards to oversee that effective cyber security practices are established and maintained within an organisation. To quote Joe Longo, Chair of ASIC:

“Cyber preparedness is not simply a question of having impregnable systems – that is not possible. Instead, whilst preparedness must include security, it must also involve resilience, meaning the ability to respond to weather a significance cyber security incident. This can only be built on thorough and comprehensive planning for significant cyber incidents.”

To stay ahead, organisations must adapt their defences by incorporating AI-enabled threat detection, adopting a zero-trust architecture, and fostering a strong culture of cyber awareness across all levels of the business. As attackers become more intelligent, so too must our defences. For Australian Boards, the implications are clear. The key to improving cyber security resilience lies in adopting a proactive, layered approach to security. Organisations must invest in advanced security technologies, implement robust security policies, and foster a culture of security awareness:

• Cyber risk must be embedded in the enterprise risk framework
• Incident response plans should be board-reviewed and tested
• Investment in Zero Trust, AI-driven detection, and supply chain security is critical.
• Directors must engage with CISOs and audit cyber resilience, ensuring their organisations invest in resilience, test incident response plans, and foster a culture of cyber awareness from the top down.

2024 was a warning. 2025 demands action. CyBiz works with Sygnia to educate and train Board members on the high impact thought processes, dilemmas and critical decision-making they would face in a significant cyber security incident, so as to improve their competencies and experience in the event that their organisation experiences a major disruptive cyber incident.

Contact CyBiz now to discuss how CyBiz can help improve your organisation’s resilience to respond to and weather a significance cyber security incident.