Qantas Says No to Ransom While 96% of Australian Businesses Pay: What This Means for Cybersecurity

When Qantas Airways faced a sophisticated ransomware attack in July 2025, the airline made a decision that sets it apart from almost every other major Australian organization: it refused to pay the ransom.

While Australia's flagship carrier held firm against the notorious hacking group Scattered Spider (also known as Lapsus$ Hunters), new research reveals a troubling truth: 96% of breached Australian businesses paid ransomware demands in the past year – the highest rate globally and significantly above the international average of 82%.

This stark contrast raises critical questions about Australia's cybersecurity posture and why the country has become a prime target for ransomware gangs.

Qantas Data Breach: 5 Million Customer Records Leaked as Scattered Lapsus$ Hunters Escalate Global Extortion Campaign

Major Airline Falls Victim to Sophisticated Cybercrime Coalition in Year-Long Supply Chain Attack Australia’s flagship carrier Qantas Airways has become the latest high-profile victim of an aggressive extortion campaign orchestrated by Scattered Lapsus$ Hunters, a notorious cybercriminal coalition that has targeted dozens of Fortune 500 companies in what security experts

Breached CompanyBreached Company

nThe Qantas Breach: A Case Study in Resistance

How the Attack Unfolded

The Qantas breach was part of a sophisticated, multi-company campaign that compromised 40 organizations using Salesforce's customer relationship management platform. The attackers employed AI-powered "vishing" (voice phishing) techniques to manipulate employees at a Manila-based Qantas call center into installing malicious software.

Once inside the network, the hackers gained access to customer databases containing:

• Customer names and addresses
• Email addresses
• Frequent flyer account details
• Booking information

The Ransom Demand and Refusal

When Scattered Spider set an October 10, 2025 deadline for payment, both Qantas and Salesforce stood firm in their refusal to pay. Days later, the stolen data appeared on the dark web, accompanied by a chilling warning from the attackers:

"Don't be the next headline, should have paid the ransom."

Australia's Ransomware Crisis: The Numbers Don't Lie

Record-Breaking Payment Rates

According to comprehensive research by data security firm Cohesity, which surveyed 3,200 large companies globally, Australia's cybersecurity landscape is facing an unprecedented crisis:

• 96% of breached Australian businesses paid ransomware demands in the past year
• 85% of Australian enterprises suffered a materially impactful cyberattack (vs. 54% globally)
• 41% were hit multiple times (compared to just 26% internationally)
• 41% paid over $1.53 million AUD in ransom payments
• 99% faced legal or regulatory consequences following attacks

"What's clear is that traditional approaches to cybersecurity are no longer working, and current guidance isn't cutting through," said James Eagleton, Cohesity's managing director for Australia and New Zealand. "Despite government advice against paying ransoms, businesses are making the calculation that it's easier to pay than to deal with the disruption."

Why Australia Has Become Ransomware Ground Zero

The Perfect Storm of Vulnerability Factors

Several factors have converged to make Australia an ideal target for ransomware gangs:

1. Economic Attractiveness

Australia's relative wealth and high GDP per capita make it an economically viable target where organizations can afford substantial ransom payments.

2. Digital Transformation Without Security Maturity

Rapid digital adoption across Australian businesses has outpaced cybersecurity infrastructure development, creating exploitable vulnerabilities.

3. High Internet Penetration

With over 90% internet penetration, Australian businesses present a large attack surface with numerous entry points.

4. Willingness to Pay

The 96% payment rate signals to criminal organizations that Australian targets are likely to comply with demands, creating a self-reinforcing cycle.

"Australia is particularly exposed to this model due to its relative wealth, high internet penetration, and rapid digital adoption," explained Craig Searle, director of cyber advisory at Trustwave.

The $10.5 Trillion Ransomware Economy

Ransomware-as-a-Service: The Business Model Behind the Crisis

Ransomware has evolved from opportunistic attacks into a highly structured global economy. The World Economic Forum projects ransomware will cost $10.5 trillion USD in 2025 – effectively making it one of the world's largest economies, larger than most countries' GDP.

Modern ransomware operates through Ransomware-as-a-Service (RaaS) platforms, where:

• Affiliates purchase ready-made toolkits with user-friendly dashboards
• "Customer support" helps attackers maximize their success
• Double and triple extortion techniques multiply revenue streams
• Threat to leak stolen data adds pressure beyond encryption
• Supply chain targeting creates additional leverage points

"The economic logic of ransomware is clear: extract maximum payment at the lowest possible cost," Searle noted.

The Maturity of Cyber Extortion

Davyn Baumann, senior intelligence analyst at Google Cloud Security's Threat Intelligence Group, confirmed the ecosystem's growth:

"The 2,302 global victims listed on data leak sites in Q1 2025 represented the highest single quarter count observed since we began tracking these sites in 2020, confirming the maturity of the cyber extortion ecosystem."

Why Paying Ransoms Doesn't Work

The False Promise of Data Recovery

Despite the overwhelming majority of Australian businesses choosing to pay, security experts warn that ransoms rarely deliver what victims hope for:

• Less than 50% of ransom payers successfully recover their data
• Much of the recovered data is corrupted or incomplete
• No guarantee against future attacks – often marks organizations as willing payers
• Strengthens the broader criminal ecosystem by funding future operations

The Australian government's position is clear: "[Paying] does not guarantee the recovery of data, prevent its publication or sale, or protect against future attacks," according to a Home Affairs spokesperson.

The True Cost Beyond Ransom Payments

The financial impact extends far beyond the ransom itself:

• 90% of Australian businesses reported revenue losses from cyberattacks
• Nearly one-third said losses reached 10% of annual revenue
• 61% received fines or penalties (highest rate globally)
• 76% of private organizations felt board pressure to dismiss senior leaders following attacks

"From financial loss and leadership pressure to eroding customer trust, consequences are no longer confined to the IT departments," Eagleton emphasized.

Australia's Regulatory Response: Mandatory Reporting

New Ransomware Payment Reporting Requirements

From May 30, 2025, Australia became the first country globally to mandate ransomware payment reporting. Under the new scheme:

• Businesses with over $3 million turnover must notify the Australian Signals Directorate within 72 hours of payment
• Six-month education phase runs before full enforcement begins in 2026
• Fines and penalties will apply for non-compliance after the grace period

The Transparency Gap

However, the legislation doesn't require public disclosure of the reported data – a missed opportunity according to cybersecurity experts.

Jocelinn Kang, a resident technical fellow at the Australian Strategic Policy Institute, argues for transparency:

"The ransomware problem is too big for the government to solve alone. Public reporting of the information, with identities removed, would help the broader cybersecurity ecosystem to direct resources where they're needed most."

A Home Affairs spokesperson acknowledged the challenge: "Ransomware attacks remain significantly underreported and the Australian Government does not have reliable data on the ransomware and cyber extortion threat environment. Poor visibility impacts incident response and harms mitigation efforts."

Breaking the Cycle: Lessons from Qantas

What Enabled Qantas to Refuse Payment

Qantas's ability to hold the line against ransomware demands came down to three critical factors:

1. Substantial cybersecurity budget with resources for incident response
2. Robust recovery capability including backup systems and data resilience
3. Board-level backing for the no-payment stance

"Obviously, situations differ case by case," Eagleton noted. "A strong investment in the ability to respond and recover [is key]."

The Strategic Imperative

"We find ourselves paying more ransoms ... and that, in turn, is attracting more bad actors," Eagleton continued. "We need to break out of that cycle, and certainly reducing the ransom paid is going to help."

Practical Steps for Organizations

Building Ransomware Resilience

To avoid becoming part of the 96%, Australian organizations should:

Invest in Prevention

• Implement zero-trust architecture
• Deploy endpoint detection and response (EDR) solutions
• Conduct regular security awareness training
• Patch vulnerabilities promptly

Prepare for Recovery

• Maintain offline, immutable backups
• Test backup restoration regularly
• Develop and rehearse incident response plans
• Establish business continuity procedures

Secure Board Buy-In

• Educate directors on ransomware economics
• Present the case against payment
• Secure funding for security infrastructure
• Establish clear decision-making protocols

Consider Cyber Insurance

• Review policy coverage for ransomware
• Understand payment vs. recovery coverage
• Ensure policy doesn't incentivize payment
• Verify incident response support included

The Scattered Spider Threat Group

Understanding the Adversary

Scattered Spider (also tracked as Lapsus$ Hunters, UNC3944, and Scatter Swine) represents a new generation of threat actors:

• English-speaking group with sophisticated social engineering capabilities
• AI-powered vishing techniques to bypass technical controls
• Focus on identity and access management exploitation
• Large-scale campaigns targeting multiple organizations simultaneously
• Known for Salesforce and Okta compromises

The group has been linked to major breaches beyond Qantas, including attacks on MGM Resorts, Caesars Entertainment, and dozens of other organizations throughout 2024-2025.

The Future of Ransomware in Australia

An Outlier No More?

For now, Qantas stands as an outlier in an Australian corporate landscape that has, perhaps inadvertently, signaled to criminals that Australia is open for business. But as the financial, operational, and reputational costs of ransomware continue to mount, more organizations may follow Qantas's example.

The question is whether the shift will come soon enough to break the cycle that has made Australia the world's most likely ransomware payer – or whether the country's businesses will continue funding the very criminal enterprises that threaten them.

Understanding Ransomware as an Economic System

"Understanding ransomware as an economic system, rather than a technical nuisance, is essential for modern businesses," Searle emphasized. Until Australian organizations collectively reduce payment rates, the country will remain a premium target for ransomware gangs worldwide.

Conclusion: A Call to Action

The Qantas breach represents both a warning and a template. As one of the few Australian organizations to refuse ransomware demands, Qantas demonstrates that resistance is possible – but requires preparation, investment, and resolve.

With 96% of Australian businesses choosing to pay, the country faces a critical inflection point. Each payment funds future attacks, sophisticated new tools, and the expansion of the ransomware economy. Breaking this cycle demands not just government regulation, but a fundamental shift in how organizations approach cybersecurity investment, incident response, and the economic calculus of ransom payment.

The message from Scattered Spider was clear: "Don't be the next headline, should have paid the ransom." But perhaps the real message should be the opposite: invest in resilience, refuse to fund criminals, and prove that Australia won't remain the world's easiest ransomware target.

Key Takeaways

• ✅ 96% of Australian businesses paid ransomware demands in the past year – highest globally
• ✅ Qantas refused to pay after a July 2025 breach by Scattered Spider
• ✅ Australia is the #1 target due to wealth, digital adoption, and willingness to pay
• ✅ Less than 50% of ransom payers fully recover their data
• ✅ Ransomware will cost $10.5 trillion in 2025, operating as a global criminal economy
• ✅ Mandatory payment reporting began in Australia in May 2025
• ✅ Investment in resilience is key to refusing ransom demands

Stay informed about the latest cybersecurity threats and data breaches. Follow Breached for breaking news, analysis, and practical security guidance.

Have you experienced a ransomware attack? Share your organization's approach in the comments below.