Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 10 Oct 2024
Last updated: 10 Oct 2024

Content written for

Individuals & families
Small & medium business
Large organisations & infrastructure
<--- DO NOT REMOVE -->

This interactive guide is here to assist you with taking all of the appropriate steps to prepare for, respond to and recover from a ransomware incident.

The Ransomware Playbook is a holistic resource, collating resources across government and industry in one accessible interactive webpage.

What is ransomware?

Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them. The effects of a ransomware, data extortion or encryption event can go beyond the loss of files or data. For individuals there may be a risk of identity theft, and for businesses loss of reputation, ability to trade or service delivery.

A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also demand a ransom to prevent data and intellectual property from being leaked or sold online.

As a prosperous country with high online connectivity, Australia is a very attractive and profitable target for cybercriminals. Ransomware, cyber extortion, scams and digital theft all take a significant toll on Australian businesses and the community.

What to look for

Ransomware can infect your devices in the same way as other malware or viruses. For example, by:

  • visiting unsafe or suspicious websites
  • opening emails or files from unknown sources
  • clicking on malicious links in emails or on social media.

Common signs you may be a victim of ransomware include:

  • pop-up messages requesting funds or payment to unlock files
  • you cannot access your devices, or your login doesn’t work for unknown reasons
  • files request a password or a code to open or access them
  • files have moved or are not in their usual folders or locations
  • files have unusual file extensions, or their names or icons having changed to something strange.

It is strongly recommended not to pay a ransom.

There is no guarantee paying the ransom will allow you to regain access to your information or prevent it from being sold or leaked online. You may also be targeted by another attack.

Call the 24/7 Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371) if you need cyber security assistance.

I would like to learn how to:

Answer the question above to see further information.

I am a:
Individual
Small & Medium Business
Large Organisation or Critical Infrastructure operator

Prepare

Strong cyber security is the best way to protect yourself from a ransomware attack. Cybercriminals target known weaknesses to exploit vulnerabilities in systems, and most ransomware attacks are the result of poor cyber hygiene, rather than sophisticated attack techniques.

A ransomware attack could block you from accessing your device or the information on it. Take some time to consider how a ransomware attack might affect you. This will help you to invest the right amount of time, effort and money into protecting your systems.

You should consider:

  • What can you replace, for example, files you downloaded from the internet?
  • What can’t you replace, for example, photos that aren’t backed up?
  • What would you spend to recover your information or device after a ransomware attack?

Additionally, if you have been the victim of a ransomware attack and have paid a ransom, there is no guarantee you will regain access to your information, or prevent it from being sold or leaked online. You may also be targeted by another attack.

Respond

Are you currently experiencing a ransomware attack?

If you are currently experiencing an attack, you may be locked out of your files or devices with a cybercriminal demanding payment to regain access. We understand you may be feeling pressured, panicked or stressed. Keep calm, and remember that the Australian Government strongly discourages paying a ransom. ASD’s ACSC has an emergency response guide for ransomware attacks, which steps through simple ways you can limit the damage caused by a ransomware attack.

Not all ransomware attacks are the same so some of the steps in this guide may not apply to your situation. Use the actions that best suit your case.

Recover

A wide array of support mechanisms is provided by government and not-for-profits to help those affected by ransomware get back to business and build resilience against future attacks. 

Following a ransomware incident, you or your customers may be at an increased risk of identity theft. Our identities are one of the most sensitive and valuable types of personal data. Cybercriminals go to great lengths to steal Australians’ identities, including through large-scale breaches of business customer data. Personal data, including identity information, is bought and sold on the dark web for a high price.

Prepare - Individuals

Basic cyber hygiene can prevent a magnitude of threats. Understanding what an attack can look like and what threat vectors you may be exposed to can help you understand what you are preparing for.

Practical steps that can be taken to prepare for a ransomware or cyber extortion incident include:

Complete the ransomware prevention checklist The ASD’s ACSC has published a Ransomware Prevention Checklist that you can complete. The checklist helps you to confirm that you have taken the right steps to prevent a ransomware attack from happening or reduce its impact. Follow ASD's ACSC steps to protect yourself from ransomware This website can help you understand each of the different steps you can take to secure your devices against ransomware attacks. These actions include setting up and performing regular backups, using unique passphrases, using antivirus software, and turning on multi-factor authentication. Sign up to get alerts through the free ASD's ACSC alert service Be notified when a new cyber threat is identified. ASD's ACSC - Ransomware emergency response guide Remember, if a ransomware incident occurs, you might not have access to your devices. Consider printing the Ransomware Attacks – Emergency Response Guide issued by the ASD’s ACSC to have on hand in an emergency.

Prepare - Small and Medium Business

For small and medium businesses, even minor cyber security incident can have devastating impacts.

A ransomware or cyber extortion incident can impact your business in many ways, including:

  • Operational disruption, which can impact delivery of service to customers
  • Lost revenue from missed business while operations are impacted
  • Loss of customers due to security or privacy concerns, leading to further lost revenue
  • Cost of response and remediation activities
  • Cost of restoration from destructive attacks where data cannot be decrypted
  • Reputational damage.

Understanding what an attack can look like and what threat vectors you may be exposed to can help you understand how best to protect yourself. There are numerous programs and services which can assist you.

Complete the cyber security checklist for small business The ASD’s ACSC has published a Ransomware Prevention Checklist that you can complete. The checklist helps you to confirm that you have taken the right steps to prevent a ransomware attack from happening or reduce its impact. Simplified Cyber Security for Australian Small Business | cyberwardens.com.au The Cyber Wardens program is a simple education tool designed to build a cyber-smart small business workforce. Educating your team about cyber threats will help to protect your business. Follow ASD's ACSC steps to protect yourself from ransomware This website can help you understand each of the different steps you can take to secure your device against ransomware attacks. These actions include setting up and performing regular backups, implementing access controls, using antivirus software, and turning on multi-factor authentication. Review the ASD's ACSC Ransomware emergency response guide Remember, if a ransomware incident occurs, you might not have access to your devices. Consider printing the Ransomware Attacks – Emergency Response Guide issued by the ASD’s ACSC to have on hand in an emergency. Sign up to get alerts through the free ASD's ACSC alert service Be notified when a new cyber threat is identified. Review the Cyber Security Handbook for Small Business and Not-for-Profit Directors | aicd.com.au The Australian Institute of Company Directors (AICD), in collaboration with the Australian Information Security Association (AISA), has released new guidance for small business and not-for-profit directors to assist in strengthening the cyber resilience of their organisations. Data breach preparation and response | oaic.gov.au A guide for organisations and agencies to help them prepare for and respond to a data breach in line with their obligations under the Privacy Act. Engage the Small Business Cyber Resilience Service | idcare.org IDCare provides eligible small businesses with free person-to-person support to help them build their cyber resilience against cyber threats, including ransomware.

To help prepare for the mental health impacts of a ransomware attack or cyber extortion incident, the following actions can be embedded in cyber-readiness activities and incident response plans:

  • Acknowledging the mental health and wellbeing challenges confronting business owners and staff during cyber incidents
  • Providing training to staff on what to expect during a cyber incident
  • Providing training for mental health first aid officers who can provide initial support and guidance during a cyber incident
  • Regular communication before, during and after an incident
  • Considering additional resourcing during an incident to manage high workloads
  • Providing post-incident support for staff

Experiencing a ransomware attack or cyber extortion incident may bring increased public attention and scrutiny. You may experience an increased volume of enquiries from customers, clients and/or media organisations about the impacts of the incident of your entity.

Understanding/having an awareness of what could be involved will help you prepare for and manage public inquiries during a cyber incident.

If you have experienced a ransomware attack or cyber extortion incident, you may receive enquiries from customers, clients or media organisations on:

  • Has personal or sensitive data has been compromised?
  • How is the incident being managed?
  • Will a ransom payment be made?
  • How are any impacts upon your customers or clients being addressed?
  • Could the incident have been avoided?
  • What will be done to avoid future incidents?

Considering internal and external communications as part of your incident response plan is one of the best ways to prepare for increased public attention in the event of a cyber incident. The ASD’s ACSC guidance on creating a cyber incident response plan contains important consideration for managing your business’ communication.

It’s important to consider how your entity will communicate with customers, clients and the public while an incident is ongoing. A ransomware attack may take away the usual systems you would use to communicate with stakeholders and the public.

If the ransomware attack or cyber extortion incident is of national significance or national interest, the National Cyber Security Coordinator will be involved. Working with your entity, the Coordinator will make public comments and statements on the efforts being undertaken by the Australian Government to address the impacts of a national significant cyber incident.

The Cyber Health Check will be an online interactive tool to enable businesses to self-assess their current cyber security and receive guidance on strengthening their cyber security practices.

Prepare - Large Organisation or Critical Infrastructure operators

Directors, boards and business operators feel that they face a complex regulatory environment. The following resources can help businesses understand what good cyber security looks like.

Cyber Security Governance Principles | aicd.com.au Directors have a critical role to play and must seek to lift their own cyber literacy levels, recognising that this is a key risk that can never be eliminated but can be effectively managed. The Cyber Security Governance Principles, published by Australian Institute of Company Directors, provide a practical framework for proactively tackling the oversight and management of cyber risk. Overview of Cyber Security Obligations for Corporate Leaders | cisc.gov.au The complex and evolving risk of cyber incidents presents serious security challenges for owners and operators of Australia’s critical infrastructure assets. Cyber security risk management is an imperative for all levels of management from the board down. An organisation’s board, directors and senior management play a pivotal role in developing frameworks to adequately identify and manage cyber risks. Follow ASD's ACSC steps to protect your business from ransomware This website can help you understand each of the different steps you can take to secure against ransomware attacks. These actions include setting up and performing regular backups, implementing access controls, using antivirus software, and turning on multi-factor authentication. Sign up to get alerts through the free ASD's ACSC alert service Be notified when a new cyber threat is identified. 2023-2030 Australian Cyber Security Strategy Initiatives | homeaffairs.gov.au As a key deliverable under the Strategy, National Office of Cyber Security (NOCS) is developing industry-facing playbooks for incident response for critical infrastructure sectors. These playbooks provide industry with a brief overview of the coordination and consequence management activities an entity can expect from NOCS during an incident. They seek to further trusted and transparent industry-to-government relationships on cyber security incident response arrangements. Data breach preparation and response | oaic.gov.au A guide for organisations and agencies to help them prepare for and respond to a data breach in line with their obligations under the Privacy Act.

To help prepare for the mental health impacts of a ransomware attack or cyber extortion incident, the following actions can be embedded in cyber-readiness activities and incident response plans:

  • Acknowledging the mental health and wellbeing challenges confronting staff during cyber incidents
  • Providing training to staff on what to expect during a cyber incident
  • Providing training for mental health first aid officers who can provide initial support and guidance during a cyber incident
  • Regular communication before, during and after an incident
  • Considering additional resourcing during an incident to manage high workloads
  • Providing post-incident support for staff

Experiencing a ransomware attack or cyber extortion incident may bring increased public attention and scrutiny. You may experience an increased volume of enquiries from customers, clients and/or media organisations about the impacts of the incident of your entity.

Understanding/having an awareness of what could be involved will help you prepare for and manage public inquiries during a cyber incident.

If you have experienced a ransomware attack or cyber extortion incident, you may receive enquiries from customers, clients or media organisations on:

  • Has personal or sensitive data has been compromised?
  • How is the incident being managed?
  • Will a ransom payment be made?
  • How are any impacts upon your customers or clients being addressed?
  • Could the incident have been avoided?
  • What will be done to avoid future incidents?

Considering internal and external communications as part of your incident response plan is one of the best ways to prepare for increased public attention in the event of a cyber incident. The ASD’s ACSC guidance on creating a cyber incident response plan contains important consideration for managing your business’ communication.

It’s important to consider how your entity will communicate with customers, clients and the public while an incident is ongoing. A ransomware attack may take away the usual systems you would use to communicate with stakeholders and the public.

If the ransomware attack or cyber extortion incident is of national significance or national interest, the National Cyber Security Coordinator will be involved. Working with your entity, the Coordinator will make public comments and statements on the efforts being undertaken by the Australian Government to address the impacts of a national significant cyber incident.

Respond - Individuals

If you are currently experiencing an attack, you may be locked out of devices with a cybercriminal demanding payment to regain access. We understand you may be feeling pressured, panicked or stressed to restore services. Keep calm, and remember that the Australian Government strongly discourages making ransomware or cyber extortion payments.

STEP 1: Record Important details
STEP 2: Turn off infected device
STEP 3: Turn off your other devices
STEP 4: Change important passwords

ASD's ACSC Ransomware emergency response guide Refer to ASD's ACSC Ransomware emergency response guide for further information on responding to a ransomware attack. Report and recover from a ransomware attack Learn where to get help from a ransomware attack, and steps to protect yourself against future incidents.

Remember, the Australian Government strongly discourages making ransomware or cyber extortion payments.

  • Paying a ransom will not ensure your data is decrypted, that your data or systems will no longer be compromised, or that your data will not be leaked.
  • Payments are profits for criminal activity, encouraging further ransomware attacks.
  • Payments may contravene sanctions measures, which is a serious criminal offence.
Guidance note on cyber sanctions | dfat.gov.au

Mental health support during a cyber incident

Experiencing a ransomware attack or cyber extortion incident can have an impact on mental health and wellbeing. It is essential that you can find proper support if you feel worries, anxious or depressed due to the impacts of a cyber incident.

As a first step, seek online or phone support, or see your doctor.

In an emergency, call 000.

For other support, help is available 24 hours a day, 7 days a week, anywhere in Australia. If you need help now, call:

Find a list of services that can help you right now at Head to Health.

Respond - Small and Medium Business

If you are currently experiencing an attack, you may be locked out of devices or files with a cybercriminal demanding payment for you to regain access. We understand you may be feeling pressured, panicked or stressed to restore services. Keep calm, and remember that the Australian Government strongly discourages making a ransomware or cyber extortion payment.

STEP 1: Record Important details
STEP 2: Turn off infected device
STEP 3: Turn off your other devices
STEP 4: Change important passwords

ASD's ACSC Ransomware emergency response guide Refer to ASD's ACSC Ransomware emergency response guide for further information on responding to a ransomware attack. Report and recover from ransomware attack Learn where to get help from a ransomware attack, and steps to protect yourself against future incidents. Cyber Security Response Coordination Unit | homeaffairs.gov.au If the ransomware attack or cyber extortion incident is of national significance or national interest, the National Cyber Security Coordinator will be involved. Working with your entity, the Coordinator will make public comments and statements on the efforts being undertaken by the Australian Government to address the impacts of a national significant cyber incident. Data breach preparation and response | oaic.gov.au A ransomware incident may constitute a data breach. Each data breach response needs to be tailored to the circumstances of the incident. In general, a data breach response should follow four key steps: contain, assess, notify and review.

Remember, the Australian Government strongly discourages making ransomware or cyber extortion demand payments.

  • Paying a ransom will not ensure your data is decrypted, that your data or systems will no longer be compromised, or that your data will not be leaked.
  • Payments are profits for criminal activity, encouraging further ransomware attacks.
  • Payments may contravene sanctions measures, which is a serious criminal offence.
Guidance note on cyber sanctions | dfat.gov.au

Mental health support during a cyber incident

Mental health and wellbeing support for anyone impacted by a cyber incident, including customers and clients, staff or business owners, is an important part of cyber risk management and incident response planning.

As cyber incidents become more commonplace and threat actors increasingly target, harass and intimidate victims, information is emerging on the heavy toll cyber incidents can take on the people involved. Investing in mental health and wellbeing during a cyber incident, can:

  • Reduce burnout and help retain staff
  • Enhance the effectiveness of cyber defence and incident response teams and enhance organisational cyber security
  • Reduce the risk of potentially devastating consequences that can follow harassment campaigns by threat actors determined to extract cyber extortion payments

During a cyber incident, you and your staff may experience:

  • Long working hours over extended periods
  • Anxiety
  • Significant regulatory exposure (including personal liability)
  • Customer backlash
  • Media attention and speculation
  • Feelings of guilt and stress associated with the responsibility of having to make hard judgement calls

In an emergency, call 000.

For other support, help is available 24 hours a day, 7 days a week, anywhere in Australia. If you need help now, call:

Find a list of services that can help you right now at Head to Health.

Respond - Large Organisation or Critical Infrastructure operators

If you are currently experiencing an attack, you may be locked out of devices or files with a cybercriminal demanding payment to regain access. We understand you may be feeling pressured, panicked or stressed to restore services. Keep calm, and remember that the Australian Government strongly discourages making a ransomware or cyber extortion payments.

STEP 1: Record Important details
STEP 2: Turn off infected device
STEP 3: Turn off your other devices
STEP 4: Change important passwords

ASD's ACSC Ransomware emergency response guide Refer to ASD's ACSC Ransomware emergency response guide for further information on responding to a ransomware attack. Report and recover from ransomware attack Learn where to get help from a ransomware attack, and steps to protect yourself against future incidents. Cyber Security Response Coordination Unit | homeaffairs.gov.au If the ransomware attack or cyber extortion incident is of national significance or national interest, the National Cyber Security Coordinator will be involved. Working with your entity, the Coordinator will make public comments and statements on the efforts being undertaken by the Australian Government to address the impacts of a national significant cyber incident. National Office of Cyber Security (NOCS) | homeaffaris.gov.au The NOCS helps entities respond to cyber incidents of national significance or interest in many ways, including acting as a central touchpoint between organisations, the Australian Government, state and territory governments and other industry stakeholders. During an incident, the NOCS will work closely with you to understand potential impacts, and connect you with relevant government bodies to support you to understand and manage those impacts. Data breach preparation and response | oaic.gov.au A ransomware incident may constitute a data breach. Each data breach response needs to be tailored to the circumstances of the incident. In general, a data breach response should follow four key steps: contain, assess, notify and review.

Remember, the Australian Government strongly discourages making ransomware or cyber extortion demand payments.

  • Paying a ransom will not ensure your data is decrypted, that your data or systems will no longer be compromised, or that your data will not be leaked.
  • Payments are profits for criminal activity, encouraging further ransomware attacks.
  • Payments may contravene sanctions measures, which is a serious criminal offence.
Guidance note on cyber sanctions | dfat.gov.au

Mental health support during a cyber incident

Mental health and wellbeing support for anyone impacted by a cyber incident, including customers and clients, staff or business owners, is an important part of cyber risk management and incident response planning.

As cyber incidents become more commonplace and threat actors increasingly target, harass and intimidate victims, information is emerging on the heavy toll cyber incidents can take on the people involved. Investing in mental health and wellbeing during a cyber incident, can:

  • Reduce burnout and help retain staff
  • Enhance the effectiveness of cyber defence and incident response teams and enhance organisational cyber security
  • Reduce the risk of potentially devastating consequences that can follow harassment campaigns by threat actors determined to extract cyber extortion payments

During a cyber incident, you and your staff may experience:

  • Long working hours over extended periods
  • Anxiety
  • Significant regulatory exposure (including personal liability)
  • Customer backlash
  • Media attention and speculation
  • Feelings of guilt and stress associated with the responsibility of having to make hard judgement calls

In an emergency, call 000.

For other support, help is available 24 hours a day, 7 days a week, anywhere in Australia. If you need help now, call:

Recover - Individuals

Now that you’ve responded to a ransomware attack, it’s time to recover your information, restore your infected devices and report the incident. A wide array of support mechanisms is provided by government and not-for-profits to help those affected by ransomware to get back to business and build resilience.

ReportCyber Ransomware attacks and cyber extortion incidents are a form of cybercrime and should be reported through ReportCyber. Report and recover from ransomware This guide from the ASD’s ACSC explains the steps you can take to restore your backup, what to do if you don’t have secure backups, and how to remove ransomware from an infected device.

Following a ransomware incident, you may be at an increased risk of identity theft. There are a number of resources that can help you. You may wish to replace your identity documents if they have been exposed or compromised as part of an incident.

Individual Support Services | idcare.org IDCARE supports Australian victims of identity compromise and misuse by providing specialised counselling services and remediation of devices when they are compromised by malicious software. Act quickly if you're affected by a data breach | oaic.gov.au An organisation that must comply with the Australian Privacy Act has to tell you if a data breach involving your personal information is likely to cause you serious harm. If you are told about a data breach, you should act quickly to reduce your risk of harm. Keep a record of what you do as this may be useful if you experience harm. The action you take depends on the information involved. The Office of the Australian Information Commissioner (OAIC) has resources which can support your decision making if you are informed your data has been breached. How you can protect your personal information after a data breach - Managing your money | servicesaustralia.gov.au Services Australia can advise on what to do if you are concerned about your myGov, Medicare, Centrelink or Child Support accounts after your personal information is compromised. If you think you've been scammed by someone impersonating myGov or Services Australia, call Services Australia's Scams and Identity Theft Helpdesk on 1800 941 126. Protect your identity, keep it safe | idmatch.gov.au The IDMatch website provides a central point of useful resources on how to protect your identity information and what to do if you believe you are a victim of identity theft. Help for identity theft | Australian Taxation Office | ato.gov.au If you know or suspect that someone has stolen your tax file number (TFN) or is using your tax-related information illegally, phone us on 1800 467 033 as soon as you can.

Recover - Small and Medium Business

Now that you’ve responded to a ransomware attack, it’s time to recover your information, restore your infected devices and report the incident. A wide array of support mechanisms is provided by government and not-for-profits to help those affected by ransomware get back to business and build resilience.

ReportCyber Ransomware attacks and cyber extortion incidents are a form of cybercrime and should be reported through ReportCyber. Report and recover from ransomware This guide from the ASD’s ACSC explains the steps you can take to restore your backup, what to do if you don’t have secure backups, and how to remove ransomware from an infected device. Protect your business | idmatch.gov.au The IDMatch website provides a central point to access useful resources on how to protect the identity information your business collects and help reduce the cost of identity theft. Engage the Small Business Cyber Resilience Service | idcare.org IDCare can support eligible businesses with recovery from a cyber or privacy related incident, including email or account compromise, website impersonation, phishing, data breach events, hacking, ransomware, and/or cyber resilience assessment and advice.

If the cyber incident is nationally significant or of national interest, you may be contacted by government agencies who can provide assistance with the response and consequence management.

The National Office of Cyber Security (NOCS) can assist in managing the consequences of cyber security incidents. This includes bringing together expertise and resources from across government, security agencies and industry to identify, understand and mitigate harms. NOCS is not a regulator, but can help to connect you with relevant regulators to understand your regulatory obligations.

In the event the ransomware attack or cyber extortion incident is severe and results in a national crisis, NOCS will work with your organisation and the National Emergency Management Agency (NEMA) to coordinate a large scale response through the National Coordination Mechanism (NCM). The NCM brings together relevant representatives of both government and non-government organisations to coordinate, communicate and collaborate during responses to a crisis.

If your business is a regulated entity, you will need to ensure that you continue to discharge your regulatory obligations, including any reporting obligations. Some examples of regulatory obligations include:

  • Under the Security of Critical Infrastructure Act, you have an obligation to report cyber incidents that have a relevant or significant impact on your critical infrastructure asset through ReportCyber
  • Under the Notifiable Data Breaches scheme, any organisation or agency covered by the Privacy Act 1988 must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
  • If your data or systems are integrated with any other entity (including Government), you may need to inform them so they can assess the incident and the security of the connected systems.

Regulatory obligations may be subject to change and you remain responsible for identifying requirements which apply to your circumstances. To assist, the government has developed some guidance to help you better understand which obligations may apply, including:

  • Overview of Cyber Security Obligations for Corporate Leaders – Boards, Company Directors, Chief Executive Officers, and other corporate leaders navigate important obligations and requirements that should be considered in developing cyber security frameworks for critical infrastructure assets.
  • Single Reporting Portal – brings together Commonwealth legislative reporting requirements that may be triggered by a cyber security incident, and can help you meet your cyber reporting requirements.

ASD is not a regulator. If you have questions about specific regulatory obligations, you can contact the relevant regulator.

Cyber security incident response planning: Practitioner guidance The recovery from a ransomware or data extortion incident doesn’t end once your systems are back up and running. Communicating to your stakeholders in a timely manner may help you in protecting your brand or reputation.

Communication plans can help with this. Who needs to be told what and when? If you are required to make a public statement, what would it be and how would you deliver it? You might have contractual obligations to customers, clients or entities in your supply chain that include a timeframe for informing them of an incident.

If you have system connections to partners or providers (this may include government), you may need to inform them so they can assess the incident and security of the connected systems.

Cyber security incident response planning: Practitioner guidance Post incident, it’s time to review what happened, learn from the incident and build resilience to future attacks.

ASD’s ACSC offers guidance on how to conduct a Post Incident Review (PIR), which is a detailed review, conducted after a cyber security incident. The PIR can include a 'hot debrief', which happens immediately after the incident, and a 'formal debrief', held after the incident has been completed.

After an incident, important questions to ask are:

  • What caused the incident?
  • Were there any issues with our incident response?
  • Was the incident preventable? If so, how?
  • What mitigation strategies could have prevented the incident? Are you in a position to implement them? These may include Essential 8, ISM, and other security control guidance.
  • What worked well in our response?
  • Where can we improve?
Simplified Cyber Security for Australian Small Business | cyberwardens.com.au Consider taking steps to improve the cyber security knowledge of your business. The Cyber Wardens program is a short course funded by the Australian Government to protect small businesses from daily online threats.

Recover - Large Organisation or Critical Infrastructure operators

If you or your business is affected by a ransomware attack or cyber extortion incident, you may need to engage with government entities to seek assistance or to discharge regulatory obligations, including reporting obligations.

ReportCyber Ransomware attacks and cyber extortion incidents are a form of cybercrime and should be reported through ReportCyber. Report and recover from ransomware This guide from the ASD’s ACSC explains the steps you can take to restore your backup, what to do if you don’t have secure backups, and how to remove ransomware from an infected device.

If the cyber incident is nationally significant or of national interest, you may be contacted by government agencies who can provide assistance with the response and consequence management.

The National Office of Cyber Security (NOCS) can assist in managing the consequences of cyber security incidents. This includes bringing together expertise and resources from across government, security agencies and industry to identify, understand and mitigate harms. NOCS is not a regulator, but can help to connect you with relevant regulators to understand your regulatory obligations.

In the event the ransomware attack or cyber extortion incident is severe and results in a national crisis, NOCS will work with your organisation and the National Emergency Management Agency (NEMA) to coordinate a large scale response through the National Coordination Mechanism (NCM). The NCM brings together relevant representatives of both government and non-government organisations to coordinate, communicate and collaborate during responses to a crisis.

If your business is a regulated entity, you will need to ensure that you continue to discharge your regulatory obligations, including any reporting obligations. Some examples of regulatory obligations include:

  • Under the Security of Critical Infrastructure Act, you have an obligation to report cyber incidents that have a relevant or significant impact on your critical infrastructure asset through ReportCyber.
  • Under the Notifiable Data Breaches scheme, any organisation or agency covered by the Privacy Act 1988 must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
  • If your data or systems are integrated with any other entity (including Government), you may need to inform them so they can assess the incident and the security of the connected systems.

Regulatory obligations may be subject to change and you remain responsible for identifying requirements which apply to your circumstances. To assist, the government has developed some guidance to help you better understand which obligations may apply, including:

  • Overview of Cyber Security Obligations for Corporate Leaders – Boards, Company Directors, Chief Executive Officers, and other corporate leaders navigate important obligations and requirements that should be considered in developing cyber security frameworks for critical infrastructure assets.
  • Single Reporting Portal – brings together Commonwealth legislative reporting requirements that may be triggered by a cyber security incident, and can help you meet your cyber reporting requirements.

ASD is not a regulator. If you have questions about specific regulatory obligations, you can contact the relevant regulator.

Cyber security incident response planning: Practitioner guidance Recovery from a ransomware or data extortion incident doesn’t end once your systems are back up and running. Timely communication to your stakeholders may help you in protecting your brand or reputation.

Communication plans can help with this. Who needs to be told what and when? If you are required to make a public statement, what would it be and how would you deliver it? You might have contractual obligations to customers, clients or entities in your supply chain that include a timeframe for informing them of an incident.

If you have system connections to partners or providers (this may include government), you may need to inform them so they can assess the incident and the security of the connected systems.

Cyber security incident response planning: Practitioner guidance Post incident, it’s time to review what happened, learn from the incident and build resilience to future attacks.

ASD’s ACSC offers guidance on how to conduct a Post Incident Review (PIR), a detailed review conducted after a cyber security incident. The PIR can include a 'hot debrief', which happens immediately after the incident, and a 'formal debrief', held after the incident has been completed.

After an incident, important questions to ask are:

  • What caused the incident?
  • Were there any issues with our incident response?
  • Was the incident preventable? If so, how?
  • What mitigation strategies could have prevented the incident? Are we in a position to implement them? These may include Essential 8, ISM, and other security control guidance.
  • What worked well in our response?
  • Where can we improve?

Notify - Individuals

Notifying ASD of a ransomware incident adds to the collective knowledge of threats facing industry and the nation at large. A key strength ASD's ACSC is its ability to aggregate and analyse information to produce a national cyber threat picture. ASD draws upon information gathered through ASD intelligence sources and, crucially, the information provided by organisations and entities impacted by cyber incidents in Australia.

ASD's ACSC ReportCyber

Report cybercrimes, security incidents and vulnerabilities at cyber.gov.au. Your report helps to disrupt crime operations and makes Australia more secure. If your money and/or identity is at risk, also notify the relevant services below.

National Anti-Scam Centre - Scamwatch

Report malware incidents to National Anti-Scam Centre - Scamwatch. Your report helps to warn people about current threats and disrupt them where possible. You’ll need to provide details of the malware incident, such as how it occurred and any losses you suffered.

Your financial institution

Contact your bank or credit union immediately if you’ve lost money in a malware attack. They may be able to close your account or stop a transaction. Make sure you call them using their official phone number.

The compromised website or product owner

If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia

If you need to report a scam related to myGov or Services Australia, including Centrelink, Medicare or Child Support, email reportascam@servicesaustralia.gov.au.

If you think you've been scammed by someone impersonating myGov or Services Australia, including Centrelink, Medicare or Child Support, refer to Services Australia’s website regarding data breaches at www.servicesaustralia.gov.au/databreach.

IDCARE

Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office

Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

Report - Small and Medium Business

Reporting the lessons learnt from your ransomware incident can feed in to the wider cyber ecosystem and uplift the national cyber posture. All reports help uplift the national posture. By reporting in to ASD's cyber.gov site, you add to the collective knowledge of threats facing industry and the nation at large. A key strength ASD's ACSC is its ability to aggregate and analyse information to produce a national cyber threat picture. ASD draws upon information gathered through ASD intelligence sources and, crucially, the information provided by organisations and entities impacted by cyber incidents in Australia.

Single Reporting Portal

We know that cyber security incidents can be complex and it can be difficult to understand how to meet your reporting requirements. For regulatory reporting requirements, the Single Reporting Portal is available to help you understand your obligations.

ASD's ACSC ReportCyber

Report cybercrimes, security incidents and vulnerabilities at cyber.gov.au. Your report helps to disrupt crime operations and makes Australia more secure. If your money and/or identity is at risk, also notify the relevant services below.

National Anti-Scam Centre - Scamwatch

Report malware incidents to National Anti-Scam Centre - Scamwatch. Your report helps to warn people about current threats and disrupt them where possible. You’ll need to provide details of the malware incident, such as how it occurred and any losses you suffered.

Your financial institution

Contact your bank or credit union immediately if you’ve lost money in a malware attack. They may be able to close your account or stop a transaction. Make sure you call them using their official phone number.

The compromised website or product owner

If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia

If you need to report a scam related to myGov or Services Australia, including Centrelink, Medicare or Child Support, email reportascam@servicesaustralia.gov.au.

If you think you've been scammed by someone impersonating myGov or Services Australia, including Centrelink, Medicare or Child Support, refer to Services Australia’s website regarding data breaches at www.servicesaustralia.gov.au/databreach

IDCARE

Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office

Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

Report - Large Organisation or Critical Infrastructure

Reporting the lessons learnt from your ransomware incident can feed in to the wider cyber ecosystem and uplift the national cyber posture. All reports help uplift the national posture. By reporting in to ASD's cyber.gov site, you add to the collective knowledge of threats facing industry and the nation at large. A key strength ASD's ACSC is its ability to aggregate and analyse information to produce a national cyber threat picture. ASD draws upon information gathered through ASD intelligence sources and, crucially, the information provided by organisations and entities impacted by cyber incidents in Australia.

Single Reporting Portal

We know that cyber security incidents can be complex and it can be difficult to understand how to meet your reporting requirements. For regulatory reporting requirements, the Single Reporting Portal is available to help you understand your obligations.

ASD's ACSC ReportCyber

Report cybercrimes, security incidents and vulnerabilities at cyber.gov.au. Your report helps to disrupt crime operations and makes Australia more secure. If your money and/or identity is at risk, also notify the relevant services below.

National Anti-Scam Centre - Scamwatch

Report malware incidents to National Anti-Scam Centre - Scamwatch. Your report helps to warn people about current threats and disrupt them where possible. You’ll need to provide details of the malware incident, such as how it occurred and any losses you suffered.

Your financial institution

Contact your bank or credit union immediately if you’ve lost money in a malware attack. They may be able to close your account or stop a transaction. Make sure you call them using their official phone number.

The compromised website or product owner

If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia

If you need to report a scam related to myGov or Services Australia, including Centrelink, Medicare or Child Support, email reportascam@servicesaustralia.gov.au.

If you think you've been scammed by someone impersonating myGov or Services Australia, including Centrelink, Medicare or Child Support, refer to Services Australia’s website regarding data breaches at www.servicesaustralia.gov.au/databreach

IDCARE

Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office

Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

Notify

Notifying ASD of a ransomware incident adds to the collective knowledge of threats facing industry and the nation at large. A key strength ASD's ACSC is its ability to aggregate and analyse information to produce a national cyber threat picture. ASD draws upon information gathered through ASD intelligence sources and, crucially, the information provided by organisations and entities impacted by cyber incidents in Australia.

ASD's ACSC ReportCyber

Report cybercrimes, security incidents and vulnerabilities at cyber.gov.au. Your report helps to disrupt crime operations and makes Australia more secure. If your money and/or identity is at risk, also notify the relevant services below.

National Anti-Scam Centre - Scamwatch

Report malware incidents to National Anti-Scam Centre - Scamwatch. Your report helps to warn people about current threats and disrupt them where possible. You’ll need to provide details of the malware incident, such as how it occurred and any losses you suffered.

Your financial institution

Contact your bank or credit union immediately if you’ve lost money in a malware attack. They may be able to close your account or stop a transaction. Make sure you call them using their official phone number.

The compromised website or product owner

If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia

If you need to report a scam related to myGov or Services Australia, including Centrelink, Medicare or Child Support, email reportascam@servicesaustralia.gov.au.

If you think you've been scammed by someone impersonating myGov or Services Australia, including Centrelink, Medicare or Child Support, call Services Australia’s Scams and Identity Theft Helpdesk on 1800 941 126.

IDCARE

Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office

Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

Reporting

Reporting the lessons learnt from your ransomware incident can feed in to the wider cyber ecosystem and uplift the national cyber posture. All reports help uplift the national posture. By reporting in to ASD's cyber.gov site, you add to the collective knowledge of threats facing industry and the nation at large. A key strength ASD's ACSC is its ability to aggregate and analyse information to produce a national cyber threat picture. ASD draws upon information gathered through ASD intelligence sources and, crucially, the information provided by organisations and entities impacted by cyber incidents in Australia.

Single Reporting Portal | cyber.gov.au

We know that cyber security incidents can be complex and it can be difficult to understand how to meet your reporting requirements. For regulatory reporting requirements, the Single Reporting Portal is available to help you understand your obligations.

ASD's ACSC ReportCyber

Report cybercrimes, security incidents and vulnerabilities at cyber.gov.au. Your report helps to disrupt crime operations and makes Australia more secure. If your money and/or identity is at risk, also notify the relevant services below.

National Anti-Scam Centre - Scamwatch

Report malware incidents to National Anti-Scam Centre - Scamwatch. Your report helps to warn people about current threats and disrupt them where possible. You’ll need to provide details of the malware incident, such as how it occurred and any losses you suffered.

Your financial institution

Contact your bank or credit union immediately if you’ve lost money in a malware attack. They may be able to close your account or stop a transaction. Make sure you call them using their official phone number.

The compromised website or product owner

If the malware came from a compromised website or product, report the incident to its owner. This will help protect others from harm. Make sure you report it through an official email or phone number.

Services Australia

If you need to report a scam related to myGov or Services Australia, including Centrelink, Medicare or Child Support, email reportascam@servicesaustralia.gov.au.

If you think you've been scammed by someone impersonating myGov or Services Australia, including Centrelink, Medicare or Child Support, call Services Australia’s Scams and Identity Theft Helpdesk on 1800 941 126.

IDCARE

Contact IDCARE if your personal information is at risk from a data breach. They’re a national identity and cyber support service for individuals and organisations.

Australian Taxation Office

Contact the ATO if someone has stolen your personal or business identity. You must report all tax-related security issues to the ATO.

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it