This study examines the experiences of 331 Australian individuals and small to medium enterprise (SME) owners who were victims of ransomware. We used survey data to understand how they were targeted and the vulnerabilities that were exploited in private and work-related settings.
Most ransomware victims had received multiple ransom messages in the past 12 months. SME owners were more likely to have received multiple messages and to have previously paid a ransom. Strong messaging should dissuade SME owners from making these payments, which increase the chances of repeat victimisation.
SME owners reported impacts on many devices. The affected devices were also more likely to have been a work-issued device or a personal device used for work. SME owners were also more likely than other victims to report that the ransomware had spread to other workplace devices, systems or email accounts. The results highlight both the human element in victimisation and the need for technological solutions to protect business owners from ransomware and its harmful effects.
References
URLs correct as at July 2025
Al-Hawawreh M, Den Hartog F & Sitnikova E 2019. Targeted ransomware: A new cyber threat to edge system of Brownfield Industrial Internet of Things. IEEE: Internet of Things Journal 6(4): 7137–7151. https://doi.org/10.1109/JIOT.2019.2914390
AlphaBeta 2019. Australia’s digital opportunity: Growing a $122 billion a year industry. https://digi.org.au/digitalopportunity/
Andronio N, Zanero S & Maggi F 2015. HelDroid: Dissecting and detecting mobile ransomware. In H Bos, F Monrose & G Blanc (eds), Research in attacks, intrusions, and defenses. https://www.springerprofessional.de/en/heldroid-dissecting-and-detecting-mobile-ransomware/6878340
Australian Cyber Security Centre (ACSC) 2023a. ASD cyber threat report 2022–2023. Canberra: ACSC. https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023
Australian Cyber Security Centre (ACSC) 2023b. Cyber security and Australian small businesses: Results from the Australian Cyber Security Centre Small Business Survey. Canberra: ACSC. https://www.cyber.gov.au/sites/default/files/2023-03/2023_ACSC_Cyber%20Security%20and%20Australian%20Small%20Businesses%20Survey%20Results_D1.pdf
Australian Cyber Security Centre (ACSC) 2023c. So, you’ve been held to ransom? Canberra: ACSC. https://www.cyber.gov.au/sites/default/files/2023-03/ACSC_Ransomware_Emergency_Response_One_Page_Guide.pdf
Baillette P & Barlette Y 2018. BYOD-related innovations and organizational change for entrepreneurs and their employees in SMEs. Journal of Organizational Change Management 31(4): 839–851. https://doi.org/10.1108/JOCM-03-2017-0044
Barracuda 2023. 2023 ransomware insights: The prevalence and impact of ransomware attacks around the world. https://www.barracuda.com/reports/ransomware-insights-report-2023
Beaman C et al. 2021. Ransomware: Recent advances, analysis, challenges and future research directions. Computers & Security 111: 102490. https://doi.org/10.1016/j.cose.2021.102490
Biddle N, Gray M & McEachern S 2022. Public exposure and responses to data breaches in Australia: October 2022. ANU Centre for Social Research and Methods. Canberra: Australian National University. https://polis.cass.anu.edu.au/research/publications/public-exposure-and-responses-data-breaches-australia-october-2022
Brewer R 2016. Ransomware attacks: Detection, prevention and cure. Network Security 9: 5–9. https://doi.org/10.1016/s1353-4858(16)30086-1
Connolly AY & Borrion H 2022. Reducing ransomware crime: Analysis of victims’ payment decisions. Computers & Security 119: 102760. https://doi.org/10.1016/j.cose.2022.102760
Connolly LY & Wall DS 2019. The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Computers & Security 87: 101568. https://doi.org/10.1016/j.cose.2019.101568
Connolly LY, Wall DS, Lang M & Oddson B 2020. An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability. Journal of Cybersecurity 6(1). https://doi.org/10.1093/cybsec/tyaa023
Department of Home Affairs 2021. Ransomware Action Plan. Canberra: Department of Home Affairs. https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/australias-ransomware-action-plan
Europol 2021. Internet organised crime threat assessment 2021. https://www.europol.europa.eu/publications-events/main-reports/internet-organised-crime-threat-assessment-iocta-2021
Europol 2018. Internet organised crime threat assessment 2018. https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018
Gómez-Hernández J, Álvarez-González L & García-Teodoro P 2018. R-Locker: Thwarting ransomware action through a honeyfile-based approach. Computers & Security 73: 389–398. https://doi.org/10.1016/j.cose.2017.11.019
Holt TJ & Bossler AM 2014. An assessment of the current state of cybercrime scholarship. Deviant Behavior 35(1): 20–40. https://doi.org/10.1080/01639625.2013.822209
Hovav A & Putri FF 2016. This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive and Mobile Computing 32: 35–49. https://doi.org/10.1016/j.pmcj.2016.06.007
Kharraz A, Robertson W, Balzarotti D, Bilge L & Kirda E 2015. Cutting the Gordian knot: A look under the hood of ransomware attacks. In M Almgren, V Gulisano & F Maggi (eds), Detection of intrusions and malware, and vulnerability assessment: 3–24. https://doi.org/10.1007/978-3-319-20550-2_1
Matthijsse SR, Moneva A, van ‘t Hoff-de Goede MS & Leukfeldt ER 2025. Examining ransomware payment decision-making among small- and medium-sized enterprises. European Journal of Criminology 22(4): 625–645. https://doi.org/10.1177/14773708241285671
Morgan A & Voce I 2022. Data breaches and cybercrime victimisation. Statistical Bulletin no. 40. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sb78832
Office of the Australian Information Commissioner 2023. Notifiable data breaches report: January to June 2023. Sydney: OAIC. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023
Productivity Commission 2023. 5-year Productivity Inquiry: Australia’s data and digital dividend. Inquiry report vol 4. Canberra: Productivity Commission. https://www.pc.gov.au/inquiries/completed/productivity/report
Sharmeen S, Ahmed YA, Huda S, Koçer BŞ & Hassan MM 2020. Avoiding future digital extortion through robust protection against ransomware threats using deep learning based adaptive approaches. IEEE Access 8: 24522–24534. https://doi.org/10.1109/ACCESS.2020.2970466
Singh N 2012. B.Y.O.D. Genie is out of the bottle – ‘devil or angel’. Journal of Business Management & Social Sciences Research 1(3): 1–12
Sophos 2022: The state of ransomware. https://www.sophos.com/en-us/whitepaper/state-of-ransomware
Voce I & Morgan A 2021. Ransomware victimisation among Australian computer users. Statistical Bulletin no. 35. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sb78382
Voce I & Morgan A 2023a. Cybercrime in Australia 2023. Statistical Report no. 43. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sr77031
Voce I & Morgan A 2023b. Online behaviour, life stressors and profit-motivated cybercrime victimisation. Trends & issues in crime and criminal justice no. 675. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/ti77062
Wall DS 2021. The transnational cybercrime extortion landscape and the pandemic: Changes in ransomware offender tactics, attack scalability and the organisation of offending. European Law Enforcement Research Bulletin, Special Conference edition No. 5. https://ssrn.com/abstract=3908159