Eito./Blog
Insight

Ransomware in Australia: How the Essential Eight Protects Your Business

Ransomware is the number one cyber threat facing Australian businesses. Here's how it works and exactly how each Essential Eight strategy helps stop it.

Cas2 February 202610 min read

Ransomware is not a theoretical risk. It is the most common and most destructive cyber threat facing Australian organisations right now. The Australian Signals Directorate calls it the most destructive cybercrime threat, and the data backs that up.

But here's what most people don't realise: the Essential Eight was designed with exactly this threat in mind. Every single strategy in the framework directly reduces your exposure to ransomware. Let's break down how.

How Ransomware Actually Works

Ransomware follows a predictable pattern. Understanding the steps helps you see exactly where each defence kicks in.

  • Step 1: Initial access. The attacker gets into your network, usually through a phishing email, a compromised password, or an unpatched vulnerability.
  • Step 2: Reconnaissance. They explore your systems, looking for valuable data and backup locations.
  • Step 3: Privilege escalation. They gain admin access to do maximum damage.
  • Step 4: Lateral movement. They spread to other systems and devices on your network.
  • Step 5: Exfiltration. They copy sensitive data to use as leverage (double extortion).
  • Step 6: Encryption. They encrypt your files and systems, then demand payment for the decryption key.

The Essential Eight places barriers at every single step in this chain. Miss enough of them, and the attacker walks right through. Implement them, and the attack stalls before it causes damage.

Strategy by Strategy: How Each One Stops Ransomware

1. Application Control

Blocks at Step 1. Ransomware is software. If only approved applications can run on your systems, the ransomware executable simply won't launch. This is one of the most effective defences available and it's built into Windows.

2. Patch Applications

Blocks at Step 1. Many ransomware attacks exploit known vulnerabilities in outdated software. If your applications are patched and current, these attack vectors are closed. The key word is "known" as these aren't sophisticated zero-day exploits. They're attacks against holes that already have fixes available.

3. Microsoft Office Macros

Blocks at Step 1. Malicious macros in Word and Excel documents are one of the most common ransomware delivery methods. Restricting macros to only trusted, signed macros stops this vector cold.

4. User Application Hardening

Blocks at Step 1. Disabling risky features in web browsers and other applications (like unnecessary extensions, JavaScript in PDFs, and untrusted ads) removes common entry points. Many drive-by download attacks rely on these features being enabled by default.

5. Restrict Administrative Privileges

Blocks at Steps 3 and 4. Even if an attacker gets in, limited privileges mean they can't install software, change system settings, or spread to other machines. This is the difference between losing one workstation and losing your entire network.

6. Patch Operating Systems

Blocks at Steps 1 and 4. Like application patching, but for Windows, macOS, and Linux themselves. OS vulnerabilities are prime targets for lateral movement, where attackers jump from one compromised machine to the next.

7. Multi-Factor Authentication

Blocks at Steps 1 and 3. Even if an attacker steals a password through phishing, MFA stops them from logging in. This single control prevents the majority of account takeover attacks. It's free with most providers and takes minutes to enable.

8. Regular Backups

Recovers from Step 6. If ransomware does encrypt your data, current and tested backups mean you can restore everything without paying the ransom. The critical requirements: backups must be stored separately from your main network, and you must test restores regularly.

Paying the ransom does not guarantee you get your data back. The ACSC strongly advises against paying. There is no guarantee that paying a ransom will result in the return of data, and it may encourage further criminal activity. ASD recommends organisations focus on prevention, tested backups, and incident response planning rather than relying on the possibility of recovery after payment.

The Australian Ransomware Landscape

Australia is a high-value target. We have a strong economy, high digital adoption, and many small businesses that lack basic cyber defences. According to the ASD Annual Cyber Threat Report 2024-2025, the ACSC responded to 138 ransomware incidents in FY2024-25, with 11% of all incidents involving ransomware. Over 84,000 cybercrime reports were received, averaging one every six minutes.

Industries most targeted in Australia include healthcare (ransomware incidents against the healthcare sector doubled year-on-year in FY2024-25), financial and insurance services (the most frequently reporting sector), professional services (law firms, accountants with sensitive client data), and construction and trades (businesses that can't afford downtime).

The trend is accelerating. Ransomware-as-a-Service (RaaS) platforms have lowered the barrier for attackers. Criminal groups sell ready-made ransomware kits, complete with customer support, to anyone willing to pay. The attacks are getting more frequent, more targeted, and more damaging.

What Makes Small Businesses Vulnerable

  • No dedicated IT security staff or budget.
  • Assumption that they're too small to be targeted (they're not).
  • Reliance on consumer-grade tools without enterprise security features.
  • Passwords reused across multiple services.
  • MFA not enabled on email and cloud accounts.
  • Backups that exist but have never been tested.
  • Software that hasn't been updated in months or years.

Attackers don't target small businesses individually. They scan the internet for vulnerable systems and exploit whatever they find. If your systems have unpatched vulnerabilities or weak credentials, you'll be found. It's automated, indiscriminate, and relentless.

What to Do Today

You don't need to solve everything at once. Start with the controls that block the most common ransomware attack vectors:

  • Enable MFA on every account that supports it. Start with email.
  • Turn on automatic updates for your operating system and applications.
  • Verify your backups are running daily and test a restore.
  • Review who has admin access and remove it from anyone who doesn't need it.
  • Run a free self-assessment to see exactly where your gaps are.

These five actions, all free or nearly free, will dramatically reduce your ransomware risk. The Essential Eight isn't about perfection. It's about making your business a harder target than the next one.

Get Started

Ready to see where you stand?

Take 5 minutes to run a free Essential Eight Quick Check. No account required. Your data never leaves your browser.

Start Free Assessment