Australian firms urged to rethink ransomware defences

Cohesity and KnowBe4 are urging Australian organisations to rethink their ransomware defences as Anti-Ransomware Awareness Day highlights rising attack rates and recovery failures.

Australian enterprises face greater ransomware exposure than many overseas peers. New research from data security firm Cohesity found that 85% of large businesses in Australia suffered a materially impactful cyberattack in the past year, compared with 54% globally.

Cohesity ANZ Managing Director James Eagleton said many organisations still treat ransomware as a hypothetical risk, despite the frequency and severity of attacks in the local market.

"As organisations increasingly depend on secure and accessible data to operate reliably and effectively, Anti-Ransomware Awareness Day (12 May) provides a moment for businesses to re-evaluate how they defend against evolving ransomware threats. With Cohesity's latest Global Cyber Resilience Report revealing that 85% of Australian large businesses have experienced a materially impactful cyberattack in the last year, malicious threats are no longer a potential risk but a growing reality that businesses need to plan for - shifting focus from prevention to resilience. However, strengthening cyber resilience doesn't have to be complex."

He said many organisations still see backup systems only as passive recovery tools, leaving untapped value in data already held outside live production environments.

"One of the simplest ways a business can strengthen its defence against evolving ransomware attacks is by treating backups as an active security asset, rather than merely as a restore mechanism. As the volume of data organisations hold continues to grow, so too does the opportunity for cybercriminals, who increasingly exploit blind spots to move undetected across systems. Because backup data is isolated from live environments, attackers are typically less able to tamper with it, making backups a trusted source for identifying suspicious activity, tracking attackers' dwell time, and validating that a data set is clean before initiating recovery. With Australian businesses targeted more than the global average (85% versus 54% globally), how backups are used can be an effective first step in better protecting organisations against ransomware threats," Eagleton said.

He also highlighted the growing trend of attackers targeting backup data itself. Ransomware groups increasingly try to delete or corrupt backup stores, which can leave organisations with no reliable path to restoration.

"Another way businesses can better protect themselves is by implementing immutable backups into their operations. Today, ransomware has evolved beyond traditional extortion, with attackers deliberately targeting backup data to undermine recovery efforts and increase pressure to pay. By corrupting or deleting backups, cybercriminals remove a critical safety net, leaving organisations unable to restore systems quickly or confidently. Immutable backups address this risk by ensuring data cannot be altered, encrypted, or deleted, even by attackers with elevated access, ultimately providing organisations with a trusted last line of defence when systems become compromised," Eagleton said.

Eagleton said Australian enterprises are not only more likely to be hit, but also more likely to be hit repeatedly. He linked this pattern to longer attacker dwell times and a greater risk of backup compromise.

"An organisation's cyber resilience strategy should also focus on minimising an attacker's dwell time on its systems through AI-powered data security monitoring and early detection capabilities. Cohesity found that Australian businesses are being hit not only more frequently, but also repeatedly, with two in five organisations suffering multiple incidents. This repetition gives attackers more time to move laterally, breach backups, and maximise disruption. By employing AI-powered monitoring tools that continuously analyse data for anomalies, such as unusual encryption patterns or sudden spikes, businesses can identify ransomware activity early, contain its spread, and alert response teams before damage escalates," Eagleton said.

Despite written policies against paying, many organisations still transfer funds to attackers. Cohesity's research indicates that most Australian large enterprises paid at least one ransom in the past year.

"Finally, regular recovery testing under realistic simulation scenarios is essential to ensuring organisations can withstand ransomware without resorting to ransom payments. Despite having policies in place, Cohesity's research found that 96% of Australian large businesses paid ransom in the last year, as opposed to 82% globally, with many blaming untested, slow, or unreliable recovery processes. By conducting frequent recovery drills using clean, isolated environments, businesses can validate backup integrity, confirm data hygiene, and rehearse restoring systems quickly," Eagleton said.

Awareness efforts around Anti-Ransomware Awareness Day have also emphasised a defence-in-depth approach. Security training firm KnowBe4 said organisations should assume that at least some perimeter controls will fail during an incident.

"Defence-in-depth means assuming a breach will happen, so a backup is only a lifeline if it survives the same attack that encrypted your production data. A good course of action is to deploy immutable, off-site backups and strictly segment your networks to block lateral movement. The ultimate goal is to ensure your business can recover at speed, turning a potential catastrophe into a manageable disruption," said Kawin Boonyapredee, CISO advisor at KnowBe4.

Boonyapredee said attackers are now using artificial intelligence widely, shifting the balance between manual defences and automated attacks.

"As attackers use artificial intelligence to scale phishing and automate reconnaissance, traditional defences are no longer enough. Organisations must fight automation with governed automation by implementing AI-aware controls. They should also require human-in-the-loop approvals for sensitive actions. The goal is to neutralise AI-assisted threats by monitoring behaviour and training staff to spot the growing use of deepfakes," Boonyapredee said.