Ransomware in 2025: What Has Changed and How to Protect Your Business

Ransomware continues to be the most financially devastating cyber threat facing Australian businesses, but the tactics have evolved significantly from the spray-and-pray approach of earlier years. Modern ransomware operations function like professional businesses, with dedicated teams for initial access, lateral movement, data exfiltration, and negotiation. Understanding how these operations work is essential for building effective defences.

Double extortion has become the standard playbook. Attackers not only encrypt your data but also steal it before deploying the ransomware, threatening to publish sensitive information on leak sites if the ransom is not paid. This means that even businesses with excellent backup strategies face the risk of data exposure. Some groups have added a third layer, contacting your customers or partners directly to pressure you into paying. The average ransom demand for Australian businesses has increased substantially, and the total cost of recovery — including downtime, legal fees, regulatory penalties, and reputational damage — often exceeds the ransom itself by a factor of five or more.

Initial access methods have shifted toward exploiting legitimate remote access tools and supply chain vulnerabilities. Attackers compromise managed service providers to gain access to multiple client networks simultaneously, target vulnerabilities in edge devices like VPN appliances and firewalls, and abuse legitimate remote monitoring tools that security products are configured to trust. Phishing remains a significant vector, but it is increasingly used to steal credentials for cloud services rather than to deliver malware directly.

Effective ransomware defence in 2025 requires a layered approach. Immutable backups stored offline or in write-once cloud storage are your last line of defence — test them regularly. Endpoint detection and response solutions that can identify and contain ransomware behaviour in real time are essential. Network segmentation limits the blast radius of a successful breach. Privileged access management prevents attackers from using stolen admin credentials to disable your security tools. And security awareness training helps employees recognise the social engineering tactics that often precede a ransomware deployment.