This article is part of a three-part Trustwave series examining the efficacy of recently implemented and proposed government regulations requiring organizations victimized by ransomware to report if they make a ransom payment.
The following two installments in the series will feature Trustwave's Craig Searle, Director of Consulting & Professional Services in the Pacific, and Ed Williams, Vice President at Trustwave SpiderLabs, who each take countering viewpoints on whether this legislation will prove helpful in defeating or abating ransomware attacks. Please read Searle and Williams’ thoughts on the topic.
Ransomware attacks have always placed the victims in a difficult position. The attack itself is bad enough, locking up needed assets, but ransomware victims also face the conundrum of deciding whether or not to pay the ransom in the hope that their attacker will, in fact, honor their promise to release their grip on the target's data or network.
Let's start with setting the record straight. Trustwave in no way endorses ransom payments. We believe the best way to deal with a ransomware situation is to:
A: Create a strong defensive posture that will deter, if not stop, an attack.
B: Have in place a solid and well-practiced incident response plan that includes backups so an organization can quickly recover from any attack.
Now, these organizations have another decision to process: whether or not to report a ransomware payment to government authorities, as several nations have instituted, to some degree, requirements that any ransom payment must be reported.
To be clear, Trustwave, the US, UK, Australia, and most other governments, do not recommend that a ransomware victim succumb to the pressure and pay an attacker. There are multiple reasons behind this stance. There is no guarantee that the payment will result in the release of the data or network. It singles the victim out as a "payer", which could result in follow-up attacks, and it enriches the threat actor, encouraging further attacks.
The reason behind these regulations varies, but the bottom line is government agencies hope to "defund" ransomware gangs by cutting off their income stream. Additionally, by working with ransomware victims and gaining insight into how the attackers operate, governments hope to gain some inside knowledge on how the gangs work, leading to a more effective defense.
However, we need to take a closer look at some of the regulations before we can judge their potential value.
Australia: Leading the Charge with Immediate Reporting
Australia became one of the first nations to implement a ransomware payment reporting requirement when its Cyber Security Act 2024 went into effect in May 2025. The Act was signed into law in November 2024, but the commencement of the ransomware payment reporting regime under Part Three of the Cyber Security Act 2024 only just got underway.
As of May 30, 2025, businesses with an annual turnover exceeding $3 million AUD and entities responsible for critical infrastructure assets must report if they make a ransomware payment or become aware that one has been made on their behalf.
The reporting window is tight: 72 hours from the time the payment is made or discovered. The detailed report requires extensive information, including:
- Reporting entity's details.
- Details of the cybersecurity incident (when it occurred, its impact, ransomware variant, vulnerabilities exploited).
- Information about the demand (amount, payment method).
- Information about the payment made (amount, method, even if non-monetary).
- Details of communications and negotiations with the extorting entity.
For the initial six months (until December 31, 2025), the Australian Department of Home Affairs will adopt an "education first" approach, focusing on assisting entities with compliance. However, failure to report can ultimately lead to a civil penalty of 60-penalty units. Importantly, the Act includes "limited use" provisions, generally preventing the reported information from being used for civil or regulatory action against the reporting entity, aiming to encourage honest disclosure.
United States: Laying the Groundwork with CIRCIA
The US is moving forward under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation mandates the Cybersecurity and Infrastructure Security Agency (CISA) to establish rules for "covered entities" to report both cyber incidents and ransomware payments.
While the specifics are still being finalized, CISA published a Notice of Proposed Rulemaking (NPRM) in April 2024, with the Final Rule expected to be effective in late 2025 or early 2026. Once in full effect, organizations in critical infrastructure sectors (including financial services, healthcare, energy, IT, and defense) will face strict reporting deadlines: 72 hours for covered cyber incidents and a tighter 24 hours for any ransomware payment.
It's important to note that until the Final Rule is implemented, CISA strongly encourages voluntary reporting to help them track trends and offer assistance. Separately, publicly traded companies in the US already have obligations under the Securities and Exchange Commission (SEC) to disclose "material" cybersecurity incidents within four business days. However, this doesn't specifically mandate reporting the payment itself.
United Kingdom: Anticipating a Legislative Shift
The UK's landscape around ransomware payment reporting is currently undergoing significant proposed changes. While existing regulations, such as the UK GDPR (requiring the reporting of personal data breaches within 72 hours) and the NIS Regulations (applicable to operators of Essential Services and digital service providers), cover general cyberattack reporting, there's no universal mandatory requirement to report ransomware payments... yet.
However, recent consultations indicate that new legislation, likely in the form of a "Cyber Security and Resilience Bill", is on the horizon. Key proposals include:
- Mandatory Ransomware Incident Reporting: All ransomware attacks would need to be reported to government authorities, regardless of whether a ransom is paid. Initial reports might be required within 72 hours, with full reports within 28 days.
- Reporting Intent to Pay Ransom: Victims, particularly those not subject to a payment ban, must report their intention to make a ransomware payment before transferring funds. This would allow authorities like the National Crime Agency (NCA) to intervene and offer guidance, potentially even blocking payments to sanctioned entities.
- Targeted Ban on Ransomware Payments: A significant proposal includes banning ransomware payments for all public sector bodies and critical national infrastructure (CNI) owners and operators. This aims to disrupt the criminal business model by removing the financial incentive for attacking essential services.
The public consultation on these proposals ended in April 2025, and the government is currently reviewing feedback to finalize the legislation. While UK authorities generally advise against making ransomware payments, these forthcoming regulations signify a significant step towards greater transparency and enhanced governmental oversight.
Please see Craig Searle and Ed Williams’ opinions on this topic.
