Australia’s rich resources and high median wealth make the country an attractive target for threat groups, and ransomware groups have taken notice. 

Ransomware groups have claimed 71 attacks on Australian organizations thus far in 2025, compared to just nine in New Zealand. Both countries have experienced significant ransomware attacks this year, however, and some with supply chain implications, so we discuss 10 significant recent incidents below involving both Australia and New Zealand. 

The U.S., Canada and Europe experience a significantly higher volume of ransomware attacks, but on a per-capita basis, Australia faces an outsized number of ransomware attacks. Italy, for example, has experienced 118 ransomware attacks so far in 2025 – fifth highest globally – yet has more than double Australia’s population. Australia’s prosperous economy (13th globally in GDP and 55th in population) has made it a very attractive target for threat actors. 

Interestingly, unlike the rest of the world, where Qilin dominates, there has been no clear most active ransomware group in the region, as Qilin, Akira, and INC have all claimed eight attacks each this year, and Lynx and Dragonforce have been right behind (chart below). 

Professional services and healthcare have been the most targeted sectors in the ANZ region, but an additional eight sectors have been hit by three or more attacks thus far in 2025 (see chart below). 

Want to know more about Australia’s cybersecurity landscape? Register for Cyble’s October 1 webinar on APRA compliance. 

Significant Ransomware Groups Targeting Australia & New Zealand 

Below are eight significant ransomware incidents that have affected Australia this year, as well as two that have targeted New Zealand. 

The Akira ransomware group claimed responsibility for an attack on an Australian company that provides OT & ICS services for various critical sectors. Akira claimed to have stolen 10GB of corporate data, including employee information (passports, driver’s licenses, medical records, and birth/death certificates), as well as confidentiality agreements, contracts, financial records, and project documentation. 

An Australian political party suffered a ransomware-related breach in June 2025. The attackers gained unauthorized access to servers and potentially exfiltrated email correspondence, documents, phone numbers, identity records, banking details, and employment history. 

Dragonforce leaked more than 100 GB of data allegedly stolen from an Australian engineering firm. The data included historical site and customer reports, detailed technical drawings of equipment, and a folder containing pathology and medical reports related to employees. 

Arcus Media claimed an attack on an Australian IT company that develops flight simulation and aviation training software, but the group did not release any sample data or disclose the volume and nature of the data exfiltrated from the company’s network. 

The VanHelsing ransomware group allegedly compromised an Australia-based medical technology company specializing in sleep diagnostics, brain research, and neurology monitoring systems. To support its claims, the group shared a file tree that includes passport scans of U.S.-based staff, credit application forms, product and testing data, purchase orders, and additional employee-related information. 

The RansomHub ransomware group claimed responsibility for compromising an Australia-based pharmaceutical company specializing in the development, manufacturing, and distribution of healthcare products. The group alleged access to 40 GB of sensitive data. 

Akira claimed to have stolen 26 GB of data from an Australian process engineering firm, including contact details of employees and customers, internal communications, and financial documents. 

Qilin listed an Australian steel industry company as a victim, claiming to have stolen 11 GB of data consisting of over 23,000 files. The group published samples to support its claim, including financial documents and internal correspondence. 

The Play ransomware group claimed responsibility for an attack on a New Zealand-based SaaS company specializing in billing solutions. The attackers did not disclose the volume of data allegedly stolen but claimed it includes private and confidential information, client documents, budgets, payroll, accounting, tax records, IDs, and financial data. 

The Chaos ransomware group leaked nearly 3 GB of data consisting of more than 20,000 files allegedly stolen from an international instrumentation company with a significant presence in New Zealand. The file tree analysis indicated potential exposure of a wide array of technical and production-related materials, and additional files referenced PCB corrections, SMT programming, and RoHS compliance, suggesting potential compromise of proprietary manufacturing and R&D data. 

Conclusion 

With significant wealth and resources comes significant cyber risk, as organizations in Australia and New Zealand – and elsewhere – have discovered. Ransomware groups have the financial means and motive to continue to evolve their malware and tactics, and the crippling damage these attacks can inflict requires the highest possible vigilance on the part of security teams. 

Developing cyber resilience is critical. Best practices include segmentation of critical assets, zero trust principles, immutable backups, hardened endpoints and infrastructure, a risk-based vulnerability management program, endpoint, network, and cloud monitoring, and a well-rehearsed incident response plan. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.