A dramatic rise in ransomware, DDoS attacks and credential theft are highlighted in the Australian Cyber Security Centre (ASD's ACSC) Annual Cyber Threat Report 2024-25 as organisations face mandate to implement event logging and replace legacy systems

Large Australian businesses face cybercrime costs averaging $A202,700 per incident, marking a 219% increase from the previous year, according to the report.

The ACSC responded to over 1,200 cyber security incidents during FY2024-25, an 11% increase from last year. Overall business cybercrime costs rose 50%, with medium businesses experiencing a 55% increase to $A97,200 per incident.

Critical infrastructure organisations faced heightened targeting, with incidents rising from 11% to 13% of all reported cases. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks surged more than 280%, with ASD's ACSC responding to over 200 such incidents.

"Businesses and organisations must operate with a mindset of 'assume compromise' and consider which assets or 'crown jewels' need the most protection," the report states.

Four Critical Actions for Organisations

ASD's ACSC identified four key priorities for organisations to improve cyber security: implementing best-practice event logging, replacing legacy technology, choosing secure-by-design products and adopting post-quantum cryptography.

The event logging requirement addresses a significant defensive gap. "Malicious cyber actors thrive when target organisations lack an established baseline or logging policy that support effective detection and response," the report warns.

Legacy IT systems present particular vulnerability, with the report noting such systems "increase the likelihood of a cyber security incident" and can make any incident "much more impactful."

Ransomware remained the most disruptive cybercrime threat, appearing in 11% of all incidents and 34% of Category 3 or higher incidents involving government, large organisations and critical infrastructure.

Information stealer malware emerged as a growing concern, with cybercriminals using stolen credentials to access corporate networks. The report details how employees' personal devices infected with information stealers can compromise workplace credentials through browser synchronisation.

In one case study, a utility company's employee had their personal device compromised. The credentials "were probably moved from a corporate asset when the employee logged into a personal Google account on their work device and synchronised work credentials," the report explains.

State-Sponsored Threats Persist

State-sponsored cyber actors continued targeting Australian businesses and organisations for political, economic and military objectives. The report highlights campaigns by People's Republic of China-affiliated actors targeting telecommunications providers and Russian GRU operations targeting Western logistics companies.

"State-sponsored cyber actors continue to use built-in network administration tools to carry out their objectives and evade detection by blending in with normal system and network activities," the report states. This "living off the land" tradecraft requires network defenders to study abnormal behaviours rather than rely solely on traditional intrusion detection systems.

Email compromise resulting in no financial loss topped business cybercrime reports at 19%, followed by business email compromise fraud with financial loss at 15% and identity fraud at 11%.

Federal Government represented 32% of incident reporting, followed by state and local government at 14% and financial and insurance services at 7%. The retail trade, construction and education sectors each comprised 3% of incidents.

For critical infrastructure specifically, financial and insurance services accounted for 32% of incidents, transport and postal services 26%, and information media and telecommunications 16%.

Mandatory Reporting and Limited Use Protections

The Australian Government introduced mandatory ransomware reporting in May 2025 for businesses with annual turnover exceeding $A3 million and critical infrastructure entities. The regime aims to enhance government visibility of ransomware threats and inform policy development.

The Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, passed in November 2024, provides "limited use" protections for organisations voluntarily reporting cyber incidents to ASD's ACSC. Information provided cannot be used for regulatory purposes or admitted as evidence in proceedings against reporting entities.

During FY2024-25, ASD's ACSC proactively notified entities of potential malicious cyber activity more than 1,700 times, an 83% increase from the previous year. The organisation answered over 42,500 calls to the Australian Cyber Security Hotline, up 16%.

Essential Eight and Legacy Systems

The report emphasises implementing ASD's Essential Eight mitigation strategies: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening and regular backups.

Edge devices - network components positioned at the network periphery such as routers, firewalls and VPN products - present particular vulnerability. ASD's ACSC observed more than 120 incidents associated with edge device attacks, with 96% proving successful.

"Edge devices are attractive targets for malicious cyber actors because internet-facing vulnerabilities in edge devices are common, and they are often difficult for network owners to monitor or configure securely," the report notes.

Organisations must begin preparing for post-quantum cryptography to protect against future cryptographically relevant quantum computers (CRQCs). "Effective transition plans for a post-quantum computing world will be critical to operating in 2030 and beyond - this planning must start now," the report states.

The full Annual Cyber Threat Report 2024-25 is available at cyber.gov.au.