Ransomware isn’t going away. Despite years of law enforcement takedowns, international sanctions, and improved security practices, ransomware attacks against Australian organisations increased 42% in 2025 according to the Australian Cyber Security Centre’s annual threat report. The average ransom demand against Australian businesses exceeded $1.2 million, though actual payments were significantly lower due to negotiation and non-payment decisions.

What’s changed isn’t just the volume. It’s the sophistication. And artificial intelligence is a major factor on both sides of the equation.

How Attackers Are Using AI

The ransomware ecosystem has evolved from individual hackers into a professional industry with specialised roles, affiliate programs, and customer service departments. AI has accelerated every stage of the attack chain.

Reconnaissance and targeting. AI tools automate the process of identifying vulnerable organisations. Natural language processing scans company websites, job postings, and social media to identify technology stacks and security maturity levels. A job posting for a “Windows Server Administrator” tells attackers what operating systems you run. A LinkedIn post celebrating your new ERP implementation tells them you’re in a transition period where security gaps are likely.

Initial access. AI-generated phishing emails are the most common entry vector. But AI also accelerates vulnerability exploitation — tools can scan exposed services, identify potential weaknesses, and generate exploit code faster than manual methods.

Lateral movement. Once inside a network, AI-assisted tools can map the environment, identify high-value targets like domain controllers and backup servers, and determine optimal attack paths faster than manual exploration. The dwell time — how long attackers remain in a network before deploying ransomware — has shortened from weeks to days in many cases.

Payload customisation. Some ransomware groups now use AI to generate polymorphic variants — malware that changes its code signature with each deployment, making detection by signature-based antivirus tools extremely difficult.

How Defenders Are Responding

The cybersecurity industry hasn’t been standing still. AI-powered defence tools have become essential components of modern security stacks.

Endpoint detection and response (EDR) platforms like CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint use machine learning to identify suspicious behaviour on devices. Rather than matching known malware signatures, they detect anomalous patterns — unusual file encryption activity, suspicious process executions, abnormal network connections — that indicate a ransomware attack in progress.

Network traffic analysis tools monitor data flows for indicators of compromise. AI models can identify command-and-control communications, data exfiltration attempts, and lateral movement patterns that would be impossible for human analysts to detect in real time across a busy network.

Security orchestration platforms use AI to correlate alerts from multiple security tools, reduce false positives, and automate initial response actions. When a potential ransomware indicator is detected, automated playbooks can isolate affected devices, block suspicious network connections, and alert security teams within seconds.

The team at Team400 has helped several Australian organisations build AI-enhanced security monitoring capabilities that integrate with their existing security tools. The challenge isn’t usually the technology itself — it’s designing systems that generate actionable alerts rather than overwhelming security teams with noise.

The Australian Landscape

Australia faces some specific ransomware challenges. Our time zone means attacks often begin during off-hours when US and European security operation centres are active but local teams are asleep. Attackers deliberately time deployments for late Friday or early Saturday morning Australian time, maximising the window before detection and response.

The concentration of Australian businesses on a relatively small number of managed service providers (MSPs) creates supply chain risk. When an MSP is compromised, all their clients are potentially affected. The 2025 compromise of a major Australian MSP affected over 200 small and medium businesses simultaneously.

Sector-specific targeting has also evolved. Healthcare, education, and local government organisations — sectors with constrained IT budgets and high sensitivity to operational disruption — remain primary targets. The Australian Signals Directorate has published sector-specific guidance, but implementation lags in many organisations.

The Backup Question

“Just restore from backups” has been the default advice for ransomware for years. It’s still valid, but attackers have adapted.

Modern ransomware groups specifically target backup systems. They identify and delete or encrypt backup repositories before deploying the ransomware payload. Cloud backups with API-accessible deletion capabilities are particularly vulnerable — if the attacker compromises credentials with backup management permissions, they can delete cloud backups remotely.

Effective backup strategies now require air-gapped or immutable backups — storage that physically or logically cannot be modified or deleted even by administrators with full system access. This means offline tape backups, immutable cloud storage buckets, or write-once-read-many (WORM) configurations.

Testing backup restoration is equally important and equally neglected. A backup you’ve never tested restoring is a backup you can’t rely on. Regular restoration drills — including full system rebuilds, not just file recovery — are essential.

To Pay or Not to Pay

This remains the most contentious question in ransomware response. The official position of the Australian government is to not pay ransoms. The reasoning is sound: payments fund criminal enterprises, encourage further attacks, and don’t guarantee data recovery.

But the reality is messier. A healthcare provider facing patient safety risks from disrupted systems faces different calculus than a company with good backups and redundant systems. The decision is ultimately a business judgment informed by legal advice, insurance coverage, and operational reality.

What’s clear is that the decision should be made before an attack occurs, not during one. Having a ransomware response plan that includes a pre-made decision framework — informed by legal counsel, senior leadership, and insurance providers — prevents panic-driven decisions during an active incident.

Practical Steps

For most Australian businesses, the most impactful actions are unglamorous but effective. Implement the ACSC’s Essential Eight mitigation strategies. Maintain tested, immutable backups. Deploy EDR on all endpoints. Implement network segmentation to limit lateral movement. And most importantly, plan your response before you need it.

Ransomware is an arms race, and AI is accelerating both sides. The organisations that survive attacks intact are the ones that prepared for them — not the ones that assumed it wouldn’t happen to them.