Exclusive: A groundbreaking initiative requiring companies to disclose cyber extortion payments has unearthed a startling reality: a significant number of Australian businesses are capitulating to ransom demands from overseas criminals.

Home Affairs Minister Tony Burke has highlighted the mounting cyber ransom threat posed by Russian criminal organizations, alongside scammers originating from countries like China, Iran, and North Korea.

To gauge the prevalence of ransom payments, a regulation was introduced on May 30 mandating businesses with annual revenues exceeding $3 million to report any ransom payments to the federal government.

Since the implementation of this rule, 66 companies have disclosed such payments, although Burke suspects the actual number might be higher.

“We suspect we’re still not capturing everyone,” Burke told 9News.

“This is a really good start, but we still work on the basis that some people are not yet reporting.

‘It’s not simply a legal obligation to report, it’s also completely in their interests.”

Australia’s National Cyber Security Coordinator Michelle McGuinness says paying a ransom is never wise and only feeds the $25 billion-a-year cybercrime industry.

But she said the payment of a ransom is not illegal, because in “life and death scenarios” it may be considered the only option by some victims.

“There are a small number of scenarios where a system may be connected to a piece of equipment that might be supporting life and death, providing power, providing water,” she said.

“So there are some unique circumstances where you could envisage that it could have significant impacts if it took you any longer to remediate those systems – so paying might bring you a little bit of speed.”

Melbourne lawyer Cameron Whittfield, who specialises in cyber security at HSF Kramer, said only a small minority of corporates targeted by ransom attacks pay up.

He estimated this as less than a third.

“Those that pay are probably more likely to pay if they’ve got an operational or asset integrity issue rather than a data issue, because the data has already left the building by the time that extortion demand arrives,” Whittfield said.

“And so what you’re paying for is something which is relatively intangible, which is basically a commitment from a threat actor to not disclose or delete that data.

“Now that can occur whether or not you’re critical infrastructure or a hospital or electricity distribution or something similar, or it could be just an everyday business, a small, medium business, which just relies on continuity.”

9News has been told that ransoms targeting bigger companies typically range from hundreds of thousands to millions of dollars.

McGuinness said paying ransoms “just feeds this cycle of criminality”.

“We’re dealing with criminals, so we can’t trust that they’re going to be honest,” she said.

“We know they have data. They may give back a copy, but we’ve also seen criminals and other criminals then exploit further the data.

“Those who pay a ransom really illuminate themselves as a target, as being a payer, and so many of them are retargeted and have to pay again.”

Burke said: “A lot of the reports we’ve had have been from Russian gangs, but no matter what country it’s from, they’ve all got one thing in common: they’re criminals, they’re not trustworthy, and they’re not going to act in people’s interests.”