Free tool
Ransomware payment reporting checker
The Cyber Security Act 2024 introduced a mandatory obligation to report ransomware and cyber-extortion payments. This tool checks whether your entity is caught, calculates the 72-hour report-by deadline, sets out what the report must contain and where to lodge it, and flags the separate SOCI incident-reporting obligation.
No reporting obligation on the details provided.
Applicability is uncertain — resolve the "unsure" answers before relying on this result.
Why this determination
- Applicability is uncertain because turnover and/or SOCI responsibility were marked unsure. Confirm both before relying on an out-of-scope conclusion.
- Turnover threshold marked unsure — the threshold is AUD $3 million annual turnover for the entity (and, where relevant, related bodies). Confirm against your latest financials.
- No payment reporting obligation is triggered on the details provided. If circumstances change (turnover, SOCI responsibility, or a payment), re-run this check.
Before you pay
- Australian Government policy does not recommend paying a ransom. Paying does not guarantee your data is returned, decrypted, or not leaked, and it may fund further criminal activity.
- A payment may carry sanctions and anti-money-laundering exposure if the recipient is a sanctioned entity or jurisdiction — obtain legal advice before authorising any payment.
- Engage ASD and your legal advisers BEFORE making a payment. Reporting the payment afterwards is mandatory and, by design, does not attract self-incrimination for the reporting entity in the same way (use-limitation protections apply) — but does not shield you from separate sanctions/AML obligations.
Separate SOCI incident obligation
- This ransomware PAYMENT report is a distinct obligation from SOCI Act mandatory cyber-incident reporting to ASD.
- If you are responsible for a SOCI-regulated critical infrastructure asset, a significant cyber security incident must be reported to ASD within 12 hours, and any other relevant incident within 72 hours — independent of whether any payment was made.
- Meeting one obligation does not discharge the other. A single incident involving a critical infrastructure asset and a ransom payment can trigger both the SOCI incident report and this payment report.
Sources
Reference tool only — not legal advice. Ransom payments carry sanctions, anti-money-laundering and legal exposure; engage the Australian Signals Directorate and an Australian-admitted lawyer before authorising any payment and before lodging a report. Confirm your specific obligations against the Cyber Security Act 2024 and current Home Affairs guidance.
Related tools
Frequently asked questions
- Who has to report a ransomware payment?
- A 'reporting business entity' — an entity carrying on business in Australia whose annual turnover exceeds AUD $3 million, or an entity responsible for a critical infrastructure asset regulated under the SOCI Act. Certain Commonwealth bodies are excluded. If a payment is made on your behalf (for example by an incident-response firm or insurer), the obligation still rests with the reporting entity.
- How long do I have to report the payment?
- 72 hours from when the ransomware payment is made, or from when the entity becomes aware that a payment was made on its behalf. Reports are lodged with the Department of Home Affairs / Australian Signals Directorate via cyber.gov.au. Non-reporting can attract civil penalties.
- Is this the same as SOCI cyber-incident reporting?
- No. The ransomware payment report is separate from SOCI Act mandatory cyber-incident reporting to ASD (a 12-hour window for significant incidents, 72 hours for other relevant incidents). A single incident affecting a critical infrastructure asset and involving a ransom payment can trigger both obligations independently.
- Should I pay the ransom?
- Australian Government policy does not recommend paying. Paying does not guarantee your data is returned or kept private, and a payment to a sanctioned entity or jurisdiction can carry sanctions and anti-money-laundering exposure. Engage ASD and your legal advisers before authorising any payment. Reporting the payment afterwards remains mandatory.
Not sure which obligations apply to you?
Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.
Build my Compliance Fingerprint →