Ransomware Poker: Australia Would Be the Easy Money at the Table
96% of breached Australian businesses paid a ransom in the past year, the highest rate globally and far above the international average. ASD says do not pay. Almost everyone pays anyway.
Attackers know it. They behave accordingly.
Ask a professional poker player what they would do facing a big decision on the river (the final card) with a weak hand. Most will say the same thing. “I would have played differently from the start and never ended up in that situation.”
The best players avoid the ugly spots altogether. Ransomware is the same.
By the time a board is debating a seven-figure payment, the important decisions were made or avoided months or years earlier.
Australia keeps walking into bad spots
Research from Cohesity found that 96% of breached Australian organisations paid the ransom last year. At the same time, the Australian Signals Directorate are clear; do not pay.
On paper, we say no. In practice, we are one of the most reliable yes markets in the world.
From an attacker’s perspective, Australia looks ideal: high wealth, high digital dependence and a long history of paying quickly. Many large enterprises have suffered materially impactful incidents, and many were hit more than once.
If you run a criminal operation, that is not noise. It is your target list.
Ransomware is an economy, not a one off heist
Ransomware has matured into an industry.
Ransomware as a Service toolkits. Affiliate structures. Dashboards and customer support. Double and triple extortion that maximise yield.
Global cybercrime costs are measured in trillions. Ransomware behaves like an economy, not a chaotic smash and grab.
And every time an Australian organisation pays, it injects capital into that economy. Attackers reinvest in better tooling, better social engineering and better data on who pays. A country that pays 96% of the time is not just a victim. It is a growth market.
Guidance versus boardroom reality
Government guidance not to pay is based on painful lessons.
Paying does not guarantee clean data recovery. It does not prevent stolen data being leaked or sold. It does not prevent repeat targeting.
Inside the boardroom, the calculation is different. Revenue is bleeding away. Legal and regulatory pressure is rising. Leaders weigh a one-off payment against prolonged downtime, reputational damage and staff burnout.
That is how you end up with almost every impacted business paying, despite official advice. We say we will not fund criminals. Our behaviour funds their business model.
Attackers study that behaviour more carefully than most boards do.
Reporting without real visibility
From May 2025, Australia began mandating ransomware payment reporting within 72 hours for businesses above a certain size. It is a genuine step forward and acknowledges ransomware as an economic problem, not just an IT incident.
Security vendors, managed service providers, insurers, legal firms and researchers all play roles in defending against ransomware. They cannot direct resources effectively if they cannot see the full shape of the problem.
We are collecting the right data. We are still learning how to use it to shift behaviour.
Where Cyber Risk Quantification fits
If you want better decisions under pressure, you cannot start thinking on the river. You have to understand the hand from the start.
Telling organisations “do not pay” is not enough. You need to show them, with numbers, what is at stake and how it changes when they invest in resilience.
This is where cyber risk quantification matters, including what Trend Micro provides through Vision One. Cyber Risk Quantification turns technical signals into business metrics such as estimated financial loss, likelihood and exposure of critical assets.
It lets leaders see:
- which scenarios are most likely to cost real money
- how much potential loss sits behind a specific control gap
- which investments reduce overall risk the fastest
Instead of vague conversations about posture, boards see expected loss decreasing as they strengthen backup, segmentation, identity controls and recovery.
At that point, paying a ransom to end one incident becomes far less rational. The same budget, spent earlier, would have reduced expected loss and made the organisation a less attractive target in the first place.
Quantification does not remove risk. It makes cyber risk manageable and comparable with other major financial risks.
The real heroes are the ones who never face the all in
Qantas refused to pay and accepted the consequences. Checkout.com refused, apologised publicly and donated the ransom amount to cybercrime research.
That takes preparation and conviction.
But in poker terms, those are still brutal river decisions. The stakes are high and every option hurts.
The real heroes are the organisations that never sit in that seat. The ones that:
- invest early in security and recovery
- quantify and manage their risk
- fix the weak spots before an extortion crew finds them
They do not appear in breach headlines. They do not receive praise. That is the point.
Australia will stop looking like a ransomware ATM when three things line up:
Resilience strong enough that paying feels like the worst option. Transparency high enough that attackers cannot rely on silence. Cyber risk measured with real numbers, not wishful thinking.
In poker, the best players win by avoiding the worst spots, not by guessing correctly under maximum pressure. Ransomware is no different. The best ransom negotiation is the one you never have to sit in.
References:
https://www.theregister.com/2025/11/13/ransomed_cto_refuses_extortion_demand/
https://www.theregister.com/2025/11/11/ransomware_surge_fuels_230_increase/
Working through something similar?
I help small firms put AI to work on real workflows. If this piece is close to a problem you have, get in touch.