On a Thursday night in March 2024, the IT systems of a 60-person accounting firm in Parramatta went dark. Ransomware had been quietly spreading through the network for nearly three weeks — seeded by a phishing email that had bypassed the firm's basic email filter, harvesting credentials and mapping file shares before the attackers triggered the encryption payload. When staff arrived Friday morning, every server, every workstation, every backup drive connected to the network was locked. The demand was AU$280,000 in Bitcoin.

The firm's managing partner, who asked not to be named for obvious reasons, described the following 72 hours as the most harrowing of his professional life. "We couldn't file tax returns. We couldn't access client files. We had no idea what data had been taken. We were ringing clients trying to explain why we'd missed deadlines, without being able to tell them what had actually happened."

The firm paid. The decryption keys worked — mostly. Some files were corrupted. The full recovery took four months. The total cost, including the ransom, IT forensics, remediation, client notifications under the Notifiable Data Breaches scheme, and lost revenue, exceeded $600,000. The firm survived, but its profit for the year was essentially eliminated.

The Current Threat Landscape

That story is not unusual. The Australian Cyber Security Centre's 2024 annual cyber threat report recorded ransomware as the most destructive cybercrime category for the third consecutive year, with reports increasing 21 percent on the prior year. The attackers are not random. They research targets, they study financial filings and LinkedIn profiles to estimate what a business can afford, and they calibrate demands accordingly.

The shift to "double extortion" has made the calculus grimmer. Attackers now routinely exfiltrate data before deploying ransomware — uploading gigabytes of files to their infrastructure before triggering the encryption. When the ransom demand arrives, it carries a second threat: pay, or the stolen data gets published on dark web leak sites. For businesses handling client financial records, health information, or commercially sensitive material, the reputational and legal consequences of a data leak can exceed even the recovery costs.

Supply chain attacks add another dimension. In 2023, a vulnerability in managed file transfer software MOVEit was exploited by the Cl0p ransomware group to breach hundreds of organisations globally, including several Australian government suppliers. The affected organisations did nothing wrong in their own environments — their exposure came through trusted software they used legitimately.

What Actually Works

Ransomware prevention is not a single product. It is a layered posture across email, endpoints, network architecture, identity management, and backup strategy.

Email security is where most attacks originate, and where well-configured defences block the majority. Advanced email filtering with sandboxed attachment analysis and URL rewriting — products like Microsoft Defender for Office 365 or Proofpoint — catch the bulk of phishing attempts that basic spam filters miss. More importantly, training employees to recognise and report suspicious emails converts the workforce from a vulnerability into a detection layer.

Endpoint detection and response (EDR) platforms — CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint are the major players — go well beyond traditional antivirus. They monitor process behaviour, flag anomalous activity like mass file encryption or unusual network connections, and can isolate a compromised endpoint automatically before ransomware spreads laterally. In several documented cases, EDR platforms have stopped active ransomware deployments mid-execution.

Network segmentation limits the blast radius. An organisation where every system can communicate freely with every other gives ransomware the run of the house. Proper segmentation — separating production environments from backups, restricting lateral movement between departments — means a compromise in one area stays contained.

The Backup Question

The Parramatta accounting firm had backups. They were connected to the network. The ransomware found them.

Effective backup strategy for ransomware specifically requires isolation: at least one copy of critical data that cannot be reached by a compromised host. Air-gapped backups — physically disconnected storage — provide this. Cloud backups with immutable storage, where backup data cannot be modified or deleted for a defined retention period, provide it at lower operational cost. The 3-2-1 rule (three copies, two different media, one offsite) is a minimum, not a ceiling.

Equally important is testing. Many organisations discover their backups are corrupt or incomplete only when they need them. Regular, documented recovery tests — actually restoring systems and verifying data integrity — are not optional housekeeping. They are the proof that the insurance policy is valid.

"We now test a full server recovery every quarter," says IT manager Priya Sharma at a Melbourne logistics company that overhauled its backup strategy after a near-miss in 2023. "It takes half a day and it's mildly annoying. The alternative is finding out your backups don't work on the worst day of the year."

The businesses that recover from ransomware without paying — and without catastrophic disruption — are not the ones that got lucky. They are the ones that made specific, boring, unglamorous investments in preparation. The threat is real, the attackers are professional, and the gap between prepared and unprepared organisations grows wider every year.