Rules Mate

Free tool

Ransomware payment reporting checker

The Cyber Security Act 2024 introduced a mandatory obligation to report ransomware and cyber-extortion payments. This tool checks whether your entity is caught, calculates the 72-hour report-by deadline, sets out what the report must contain and where to lodge it, and flags the separate SOCI incident-reporting obligation.

Last verified: 1 July 2026
Applicability

Does the entity's annual turnover exceed AUD $3 million?

The turnover limb of the "reporting business entity" test under the Cyber Security Act 2024.

Are you responsible for a SOCI-regulated critical infrastructure asset?

Entities responsible for a critical infrastructure asset are caught regardless of turnover.

The payment

Has a ransomware payment been made or authorised (by you or on your behalf)?

not applicable

No reporting obligation on the details provided.

Applicability is uncertain — resolve the "unsure" answers before relying on this result.

Why this determination

  • Applicability is uncertain because turnover and/or SOCI responsibility were marked unsure. Confirm both before relying on an out-of-scope conclusion.
  • Turnover threshold marked unsure — the threshold is AUD $3 million annual turnover for the entity (and, where relevant, related bodies). Confirm against your latest financials.
  • No payment reporting obligation is triggered on the details provided. If circumstances change (turnover, SOCI responsibility, or a payment), re-run this check.

Before you pay

  • Australian Government policy does not recommend paying a ransom. Paying does not guarantee your data is returned, decrypted, or not leaked, and it may fund further criminal activity.
  • A payment may carry sanctions and anti-money-laundering exposure if the recipient is a sanctioned entity or jurisdiction — obtain legal advice before authorising any payment.
  • Engage ASD and your legal advisers BEFORE making a payment. Reporting the payment afterwards is mandatory and, by design, does not attract self-incrimination for the reporting entity in the same way (use-limitation protections apply) — but does not shield you from separate sanctions/AML obligations.

Separate SOCI incident obligation

  • This ransomware PAYMENT report is a distinct obligation from SOCI Act mandatory cyber-incident reporting to ASD.
  • If you are responsible for a SOCI-regulated critical infrastructure asset, a significant cyber security incident must be reported to ASD within 12 hours, and any other relevant incident within 72 hours — independent of whether any payment was made.
  • Meeting one obligation does not discharge the other. A single incident involving a critical infrastructure asset and a ransom payment can trigger both the SOCI incident report and this payment report.

Sources

Reference tool only — not legal advice. Ransom payments carry sanctions, anti-money-laundering and legal exposure; engage the Australian Signals Directorate and an Australian-admitted lawyer before authorising any payment and before lodging a report. Confirm your specific obligations against the Cyber Security Act 2024 and current Home Affairs guidance.

Related tools

Frequently asked questions

Who has to report a ransomware payment?
A 'reporting business entity' — an entity carrying on business in Australia whose annual turnover exceeds AUD $3 million, or an entity responsible for a critical infrastructure asset regulated under the SOCI Act. Certain Commonwealth bodies are excluded. If a payment is made on your behalf (for example by an incident-response firm or insurer), the obligation still rests with the reporting entity.
How long do I have to report the payment?
72 hours from when the ransomware payment is made, or from when the entity becomes aware that a payment was made on its behalf. Reports are lodged with the Department of Home Affairs / Australian Signals Directorate via cyber.gov.au. Non-reporting can attract civil penalties.
Is this the same as SOCI cyber-incident reporting?
No. The ransomware payment report is separate from SOCI Act mandatory cyber-incident reporting to ASD (a 12-hour window for significant incidents, 72 hours for other relevant incidents). A single incident affecting a critical infrastructure asset and involving a ransom payment can trigger both obligations independently.
Should I pay the ransom?
Australian Government policy does not recommend paying. Paying does not guarantee your data is returned or kept private, and a payment to a sanctioned entity or jurisdiction can carry sanctions and anti-money-laundering exposure. Engage ASD and your legal advisers before authorising any payment. Reporting the payment afterwards remains mandatory.

Not sure which obligations apply to you?

Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.

Build my Compliance Fingerprint →