The conversation around ANZ ransomware threats has shifted noticeably over the past year. What once looked like sporadic, high-profile incidents has evolved into a sustained and structured campaign against organizations across Australia and New Zealand. Signals emerging from underground forums and marketplaces reveal a sobering reality: ransomware is no longer just a technical problem; it is an economic strategy driven by efficiency, specialization, and scale. 

At the center of this shift is ransomware dark web intelligence, which paints a clear picture of attacker intent. Threat actors are not simply increasing volume; they are refining their focus. The ANZ region, with its high-value economy and deeply digitized infrastructure, has become a preferred hunting ground. 

Why High-Value Economies Attract ANZ Ransomware Threats 

Australia’s economic profile plays directly into the hands of ransomware operators. A strong GDP, combined with a relatively small population, creates a high-return environment. Attackers don’t need to cast a wide net; each successful breach can yield significant payouts. 

By mid-2025, 71 ransomware incidents had been publicly claimed in Australia, compared to nine in New Zealand. On the surface, those figures may seem moderate. However, when adjusted for population, the rate of ransomware attacks in Australia and New Zealand stands out globally. Even larger economies have not experienced the same intensity relative to their size. 

This imbalance reflects a fundamental principle driving ANZ organizations cybersecurity risks: attackers prioritize value over volume. In practical terms, fewer victims can still mean higher profits. 

A Fragmented Threat Landscape with No Single Dominant Actor 

Unlike regions where one ransomware group dominates headlines, the dark web ANZ cyber threats ecosystem is notably fragmented. Multiple groups, including Qilin, Akira, INC, Lynx, and Dragonforce, operate concurrently, each claiming a similar share of attacks. 

This decentralization complicates defense strategies. Organizations are not facing a predictable adversary with a consistent playbook. Instead, they must prepare for a rotating cast of threat actors, each bringing different techniques, timelines, and negotiation tactics. 

From a ransomware dark web intelligence perspective, this fragmentation signals a competitive market. Threat actors are actively testing sectors, probing defenses, and adapting quickly based on what works. 

Industries Under Sustained Pressure 

The distribution of ANZ ransomware threats is far from uniform. Certain sectors continue to absorb the majority of attacks due to the nature of their operations. 

Healthcare and professional services sit at the top of the list. In healthcare, the urgency of patient care creates a near-zero tolerance for downtime, increasing the likelihood of ransom payments. Professional services firms, on the other hand, hold large volumes of sensitive client data, making them lucrative targets. 

However, the scope is broader than these two sectors alone. Aviation software providers, pharmaceutical companies, engineering firms, and even steel manufacturers have all been affected. This pattern reinforces a key insight: ransomware attacks in Australia and New Zealand are opportunistic but calculated, targeting environments where disruption carries tangible consequences. 

Notable Incidents Reveal Tactical Evolution 

Several incidents in 2025 highlight how attackers are evolving their methods. 

The Akira group compromised an Australian industrial technology provider, exfiltrating approximately 10GB of sensitive data, including financial records and employee identification documents. This case highlights the growing overlap between ransomware and critical infrastructure risk. 

In another breach, a political organization suffered exposure to communications, identity records, and financial data, highlighting that ANZ organizations' cybersecurity risks extend beyond the private sector. 

Meanwhile, Dragonforce leaked over 100GB of data from an engineering firm, including technical drawings and internal reports. The long-term implications of such intellectual property theft often exceed immediate financial damage. 

These cases share a common thread: encryption is no longer the sole objective. Data exfiltration and double extortion have become standard practices. 

The Rise of Initial Access Brokers 

One of the most important developments in shaping dark web ANZ cyber threats is the growth of the initial access market. In 2025 alone, 92 instances of compromised access sales were observed across Australia and New Zealand. 

Retail organizations accounted for roughly 34% of these cases, followed by BFSI and professional services. The implications are significant. Attackers no longer need to breach networks themselves; they can simply purchase access. 

This shift has redefined how ANZ ransomware threats materialize. The most complex phase of an attack—initial intrusion—is now outsourced, accelerating timelines and increasing overall attack volume. 

It also introduces indirect risk. Organizations may be compromised through vendors, partners, or shared platforms, expanding the attack surface beyond traditional boundaries. 

Ransomware-as-a-Service and the Scaling Problem 

The emergence of affiliate-driven models, particularly groups like INC Ransom, has further amplified ransomware attacks in Australia and New Zealand. Operating under a Ransomware-as-a-Service structure, these groups separate responsibilities: affiliates handle intrusions, while core operators manage ransom negotiations. 

This model enables rapid scaling. Multiple attacks can be executed simultaneously, each leveraging shared infrastructure and tooling. 

INC Ransom’s activity across healthcare and professional services highlights how effective this approach has become. Their operations often involve credential compromise, privilege escalation, lateral movement, and eventual deployment of ransomware—frequently paired with data exfiltration. 

From a ransomware dark web intelligence standpoint, this reflects a mature ecosystem where roles are specialized, and efficiency is maximized. 

A Regional Problem with Cross-Border Impact 

Although Australia is the primary target, the broader region is not immune. A ransomware attack on Tonga’s Ministry of Health disrupted national healthcare services, while a major breach in New Zealand’s healthcare sector involved both data theft and system encryption. 

These incidents reinforce the interconnected nature of ANZ organizations' cybersecurity risks. Threat actors operate without regard for national boundaries, shifting focus wherever defenses appear weakest. 

Common Entry Points and Techniques 

Despite the evolving ecosystem, many attack methods remain consistent. Spear-phishing campaigns, exploitation of unpatched systems, and the use of stolen credentials continue to dominate. 

Once inside, attackers often rely on legitimate tools—file compression utilities, remote management software, and standard data transfer mechanisms—to blend into normal operations. This “living off the land” approach makes detection significantly more difficult. 

From Defense to Resilience 

The steady rise of ANZ ransomware threats signals a need for strategic change. Perimeter-based defenses are no longer sufficient in an environment where access can be purchased, and attacks can be outsourced. 

As access is bought and attacks are outsourced, organizations must shift toward stronger identity controls, continuous monitoring, rapid patching, and tighter third-party risk management. 

Cybersecurity is no longer just about prevention—it’s about resilience. Attacks are inevitable, but their impact doesn’t have to be. Cyble helps organizations stay ahead with AI-powered threat intelligence, dark web monitoring, and predictive defense through its AI-native platform, Cyble Blaze. 

Stay ahead of ransomware threats—book a free demo and build a more resilient security posture.

The post ANZ Organizations Are in the Ransomware Crosshairs— What the Dark Web Is Telling Us appeared first on Cyble.

Cybersecurity is no longer a luxury or an afterthought for Australian organizations; it is a necessity. The scale and complexity of cyberattacks have reached unprecedented levels, and businesses, government bodies, and critical infrastructure sectors are feeling the strain. No longer confined to isolated breaches or small-scale data thefts, cyber threats now target entire systems, aiming to disrupt, steal, or hold hostage valuable assets. 

Recent reports indicate a sharp rise in cyber threats targeting Australian businesses. In the first half of 2025 alone, Australia saw 57 ransomware attacks, doubling the number recorded in the same period of the previous year. Healthcare, finance, and critical infrastructure sectors have been the most severely impacted, with healthcare experiencing the highest volume of cyber incidents, particularly ransomware attacks. In addition, supply chain attacks have surged significantly, with 79 incidents documented in the first half of 2025, a notable increase from previous months. 

This transition is being powered by Artificial Intelligence (AI), which is enabling organizations to not only respond to threats but also anticipate them before they materialize. AI-powered threat detection and predictive cybersecurity solutions are taking center stage, offering the promise of more resilient defenses against cyber adversaries.  

The Growing AI Cybersecurity Threat Landscape in Australia 

Australia’s cybersecurity landscape is facing a critical period as cyberattacks evolve in both sophistication and scale. According to Cyble's H1 2025 report, Australia has seen a marked increase in the number of cyberattacks targeting critical infrastructure, with IT and software supply chain incidents rising by 25% compared to 2024. In particular, there has been a notable uptick in attacks aimed at telecommunications and technology companies, which are rich targets for cybercriminals seeking to exploit downstream users. 

The first half of 2025 also saw an increase in AI-powered phishing, where adversaries are leveraging artificial intelligence to generate highly convincing social engineering attacks. These AI-driven phishing campaigns are more tailored and difficult to detect, presenting a new challenge for organizations in sectors like government, finance, and healthcare. As phishing becomes more sophisticated, the financial damage from these attacks has escalated, with average ransom demands exceeding USD $750,000 in many cases. 

Cloud security is another growing area of concern. The rapid adoption of cloud infrastructure has made it an attractive target for cybercriminals, especially those exploiting misconfigurations and weak access controls. In the first half of 2025 alone, Cyble's investigations uncovered over 200 billion exposed files across major cloud service providers, demonstrating the critical need for stronger cloud security measures. 

Reactive vs Proactive Cybersecurity 

For many years, cybersecurity strategies in Australia were largely reactive. Organizations would implement security measures after an attack had occurred, with systems designed to detect and mitigate threats once they were already inside the network. This reactive model is no longer sufficient. 

In contrast, proactive or predictive cybersecurity focuses on identifying and neutralizing threats before they can strike. This shift requires an understanding of the evolving threat landscape and the ability to anticipate attack strategies before they unfold. By leveraging predictive cybersecurity solutions powered by AI and machine learning, organizations can stay several steps ahead of cybercriminals. 

The Role of AI in Predictive Cybersecurity 

AI is transforming cybersecurity by offering more than just automated responses. With its ability to analyze vast amounts of data and identify patterns, AI is the key enabler of predictive threat intelligence. Using machine learning algorithms, AI-powered platforms can detect anomalies, predict future threats, and even automate incident response actions. 

One such platform revolutionizing cybersecurity is Cyble Blaze AI, an advanced AI-powered threat detection system that uses predictive analytics to foresee cyberattacks and respond autonomously. Unlike traditional systems that rely on predefined rules, Cyble Blaze AI uses machine learning to learn from every interaction and adapt to new, unknown threats. This continuous learning ensures that the system becomes more accurate and effective over time, making it an essential tool in the shift from reactive to proactive cybersecurity. 

The Power of Machine Learning in Cybersecurity 

Machine learning (ML) has become a cornerstone of modern cybersecurity solutions. By leveraging large datasets, machine learning models can identify emerging patterns and trends in cyberattack strategies that would otherwise go unnoticed. ML algorithms can also classify threats based on their severity, enabling organizations to prioritize responses and allocate resources more effectively. 

In addition, machine learning in cybersecurity supports the concept of "autonomous defense." Rather than requiring human intervention to detect and respond to every attack, AI systems like Cyble Blaze AI can take action in real-time. For example, when Cyble Blaze AI detects a potential breach, it doesn’t just issue an alert; it can automatically isolate affected systems, shut down compromised accounts, and block malicious traffic, significantly reducing the time between detection and mitigation. 

Cyble Blaze AI: Leading the Way in Predictive Cyber Defense 

Cyble’s AI-driven platform, including the Blaze AI engine, represents a significant leap in cybersecurity technology. Blaze AI employs a dual-brain architecture, which integrates neural and vector memory systems to process both structured and unstructured data from a variety of sources. This comprehensive approach enables the platform to detect emerging threats across multiple domains, including the dark web, endpoint systems, and network activity. 

What sets Cyble Blaze AI apart is its ability to predict cyberattacks before they occur. By continuously analyzing data from over 350 billion signals, the system identifies early warning signs of potential threats, such as leaked credentials or new exploit discussions on the dark web. This predictive capability empowers organizations to take preemptive action, patch vulnerabilities, and strengthen defenses long before an attack is launched. 

Furthermore, Blaze AI’s autonomous agents collaborate seamlessly to execute threat responses in real-time. For example, if the system detects a phishing attempt or ransomware infection, it can take immediate corrective action, such as blocking the malicious file, isolating affected systems, or even restoring data from backups, all without human intervention. 

Don’t wait for the breach. Schedule a Demo Today 

The Importance of Predictive Cybersecurity Solutions for Australian Businesses 

For Australian businesses, the adoption of AI-driven cyber defense strategies is no longer a matter of choice, it’s a matter of survival. As the threat landscape becomes more sophisticated and cybercriminals grow more organized, organizations must evolve their cybersecurity practices to keep pace. 

By embracing AI-powered threat detection and predictive cybersecurity solutions, businesses can reduce the risk of significant breaches and minimize the impact of cyberattacks. These technologies offer several key benefits: 

• Early Threat Detection: AI can identify potential threats based on historical data and emerging patterns, giving organizations a head start in addressing vulnerabilities.  

• Automated Response: By automating routine tasks, AI systems can reduce the burden on human cybersecurity teams, allowing them to focus on more complex issues.  

• Continuous Learning: Machine learning algorithms improve over time, enabling AI systems to adapt to new types of attacks and threats.  

• Cost Efficiency: By preventing successful attacks before they escalate, AI-powered platforms can save organizations from the high costs associated with data breaches, downtime, and reputational damage.  

• Seamless Integration: Modern AI cybersecurity platforms like Cyble Blaze AI integrate with existing security tools, providing a unified, adaptive defense mechanism across all systems.  

The post Why AI Cybersecurity Is No Longer Optional for Australian Organizations: Moving from Reactive to Predictive Defense appeared first on Cyble.

Cybersecurity agencies across the Pacific region are sharing concerns about the ransomware group INC Ransom's expanding activities and the growing influence of its affiliate network.

A joint advisory issued by the Australian Cyber Security Centre (ACSC), National Computer Emergency Response Team Tonga (CERT Tonga), and the New Zealand National Cyber Security Centre (NCSC) highlights how the INC Ransom ecosystem has become an active threat to organizations in Australia, New Zealand, and Pacific Island states.

The advisory from the agencies down under is designed for both technical specialists and general network defenders. It outlines how INC Ransom operates, the techniques its affiliates use, and the steps organizations can take to reduce their exposure. Officials from the three agencies are urging both government ministries and private organizations to review the mitigation measures outlined in the guidance to strengthen defenses against INC Ransom activity.

What distinguishes this campaign is not only the ransomware itself, but the operational structure behind it. The INC Ransom ecosystem relies on a distributed affiliate model, enabling a broad range of cybercriminal operators to conduct attacks using shared tools and infrastructure.

The INC Ransom Affiliate Model and the RaaS Ecosystem

The operational structure of INC Ransom, which functions as a Ransomware-as-a-Service (RaaS) platform. The model allows external affiliates to deploy ransomware against victims while the core operators manage extortion negotiations and payment collection. 

INC Ransom first emerged in mid-2023 as a financially motivated cybercriminal group believed to be based in Russia. Since then, the group has built an affiliate network that distributes ransomware to attackers targeting organizations worldwide. Within this structure, affiliates perform the technical intrusion and deployment of the malware, while the core INC Ransom operators handle victim communication and ransom demands. 

The group is also known by other threat-intelligence labels, including Tarnished Scorpion and GOLD IONIC. 

According to the advisory from ACSC, NCSC, and CERT Tonga, INC Ransom operations are particularly focused on organizations that manage sensitive or high-value information. Health care providers have become a prominent target globally, likely due to the operational pressure these organizations face when systems become unavailable. 

Although earlier activity concentrated on victims in the United States and the United Kingdom, threat intelligence collected by ACSC, NCSC, and CERT Tonga indicates that the group has shifted attention toward the Pacific region since early 2025. 

INC Ransom Incidents in Australia

In Australia, ACSC has tracked a series of incidents linked to INC Ransom affiliates. 

Between 1 July 2024 and 31 December 2025, the ACSC responded to 11 incidents attributed to the ransomware operation. These incidents primarily affected organizations in professional services and the health care sector. 

Since January 2025, analysts at the ACSC have observed INC Ransom affiliates targeting Australian health care entities through compromised user accounts. Once access is obtained, attackers typically escalate privileges by creating new administrator-level accounts. They then move laterally through internal systems to expand control within the network. 

During these operations, INC Ransom affiliates have deployed malicious payloads using filenames such as “win.exe.” Investigations conducted by the ACSC have also identified cases in which attackers exfiltrated personally identifiable information and medical records before launching the encryption phase. 

Victims typically discover ransom notes containing instructions and links to the INC Ransom Tor-based data leak site (DLS) where negotiations occur. 

Health Infrastructure Disruption in Tonga 

One of the most disruptive incidents linked to INC Ransom occurred in the Kingdom of Tonga. 

On 15 June 2025, the ICT environment of the Tongan Ministry of Health was hit by a ransomware attack that disrupted the national health care network and rendered several core services inaccessible. Investigators from CERT Tonga, working with regional partners including ACSC and NCSC, discovered a ransom note associated with INC Ransom embedded within the ministry’s file systems. 

On 26 June 2025, the INC Ransom group publicly claimed responsibility for the incident on its dark-web data leak site. 

The advisory further identifies Roman Khubov, a cybercriminal also known as “blackod,” as the individual controlling the malicious infrastructure used to exfiltrate data during the Ministry of Health breach. 

Ransomware Incident in New Zealand 

Ransomware activity remains a persistent problem in New Zealand, where multiple sectors of the economy have experienced disruptions. 

In May 2025, the NCSC received a report from a health-sector organization that had suffered a major ransomware intrusion. According to the notification, attackers encrypted a large number of servers and endpoint devices while also stealing significant volumes of data. 

The NCSC investigation determined that INC Ransom was responsible for the incident. After the organization refused to meet the extortion demand, the attackers published the stolen dataset on the INC Ransom data leak site. 

The event reinforced concerns among cybersecurity officials at NCSC, ACSC, and CERT Tonga that the group’s tactics are targeting organizations whose operations are highly sensitive to disruption. 

Technical Tactics Used by INC Ransom 

Technical analysis from ACSC, NCSC, and CERT Tonga shows that INC Ransom affiliates rely on several common intrusion techniques to gain initial access to victim networks. 

The most frequently observed entry points include: 

• Spear-phishing campaigns targeting employees 

• Exploitation of unpatched internet-facing systems 

• Purchased credentials from initial access brokers 

Once inside the network, INC Ransom affiliates often rely on legitimate software tools rather than custom malware to perform key tasks. This tactic allows malicious activity to blend into normal administrative operations. 

For example: 

• 7-Zip and WinRAR are used to compress data before theft. 

• The file synchronization tool rclone is frequently used to transfer stolen data outside the network. 

After data exfiltration, attackers deploy the encryption component of INC Ransom. A ransom note is then left on affected systems with payment instructions and contact details. 

If the targeted organization refuses to pay, INC Ransom operators initiate double-extortion tactics by publishing both the victim’s name and stolen information on the group’s leak site. 

Security analysts note that the tactics, techniques, and procedures (TTPs) used by INC Ransom share similarities with other ransomware operations such as Lynx, Nemty, Nemty X, Karma, and Nokoyawa. 

Defensive Measures Recommended by ACSC, NCSC, and CERT Tonga 

The joint advisory from ACSC, NCSC, and CERT Tonga outlines several practical security measures designed to reduce the risk of INC Ransom compromise. 

Key defensive actions include: 

• Maintain Reliable Backups: Organizations should maintain regular, tested backups of critical systems and store them securely to prevent unauthorized modification or deletion. 

• Restrict Network Traffic: Network administrators should limit inbound and outbound traffic to only what is necessary for operations. Firewalls and filtering technologies can help reduce exposure to phishing campaigns and malicious attachments. 

• Harden Remote Access: Virtual private networks (VPNs) and other remote access systems should be carefully configured to ensure only authorized users can reach sensitive resources. 

• Implement Multi-Factor Authentication: The advisory from ACSC, NCSC, and CERT Tonga emphasizes implementing phishing-resistant multi-factor authentication (MFA) for internet-facing services and privileged accounts. 

• Manage Privileged Access: Administrative privileges should be tightly controlled. Unique accounts for administrators improve accountability and reduce the impact of credential compromise. 

• Maintain Strong Vulnerability Management: Regular vulnerability scanning and rapid patching of exposed systems remain critical, particularly for internet-facing services that ransomware actors commonly target. 

Growing Regional Collaboration Against the INC Ransom 

The joint advisory reflects cooperation among cybersecurity agencies across the Pacific. By sharing intelligence and incident data, organizations such as ACSC, NCSC, and CERT Tonga are building a more coordinated response to ransomware threats like INC Ransom. 

The rise of affiliate-driven ransomware operations has significantly lowered the barrier to entry for cybercriminal activity. In this environment, the INC Ransom ecosystem demonstrates how distributed attacker networks can rapidly shift focus across geographic regions. 

For organizations in Australia, New Zealand, and the Pacific islands, the advisory from the Australian Cyber Security Centre (ACSC), New Zealand National Cyber Security Centre (NCSC), and National Computer Emergency Response Team Tonga (CERT Tonga) highlights the need to strengthen access controls, monitor network activity, and maintain a tested incident response plan to limit the impact of ransomware attacks. 

Threat intelligence from Cyble helps organizations track ransomware activity, monitor dark web exposure, and identify indicators of compromise earlier. 

Schedule a demo with Cyble to see how its threat intelligence platform supports ransomware detection and response. 

References:

• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/inc-ransom-affiliate-model-enabling-targeting-of-critical-networks 

• https://www.cyber.gov.au/about-us/view-all-content/news/inc-ransom-and-affiliate-network-operating-in-australia-new-zealand-and-the-pacific-island-states 

The post Australia, New Zealand, Tonga, Warn of Rising INC Ransom Attacks Targeting Pacific Networks appeared first on Cyble.

The Australian government has intensified efforts to protect digital infrastructure across all Commonwealth entities. Two recent publications, the 2024–25 Protective Security Policy Framework (PSPF) Assessment Report and the 2025 Commonwealth Cyber Security Posture Report, offer a comprehensive snapshot of current achievements, challenges, and future priorities in government cyber resilience. 

The PSPF Assessment Report highlights that 92% of non-corporate Commonwealth entities (NCEs) achieved an overall rating of “Effective” compliance under the updated evidence-based reporting model. This framework moves beyond traditional checklists, focusing on measurable outcomes, tangible risk reduction, and demonstrable assurance. While information security across agencies continues to perform well, technology security, including cyber security, remains a key area for ongoing improvement, with 79% of entities reporting effective compliance in this domain. 

PSPF policies 13 and 14 form the backbone of this effort. Policy 13: Technology Lifecycle Management emphasizes protecting ICT systems to ensure secure and continuous service delivery, integrating principles from the Australian Signals Directorate (ASD) Information Security Manual (ISM). Policy 14: Cyber Security Strategies mandates the adoption of the Essential Eight mitigation strategies to Maturity Level 2, encouraging entities to consider higher levels where threat environments warrant. 

The report also shows high engagement in proactive security measures: 90% of entities maintain incident response plans, 82% have formal cybersecurity strategies, and 87% conduct annual staff cybersecurity training. 

The Essential Eight and Technical Cyber Hardening 

The 2025 Commonwealth Cyber Security Posture is the implementation of ASD’s Essential Eight mitigation strategies. These technical controls, ranging from patching applications and operating systems to multi-factor authentication, administrative privilege restriction, and secure backups, are designed to reduce the likelihood of ICT systems being compromised. 

In 2025, 22% of entities achieved Maturity Level 2 across all eight strategies, an improvement from 15% in 2024, though slightly below 2023’s 25%. This minor drop reflects the November 2023 update to the Essential Eight, which hardened controls in response to evolving threat tactics.  

Notably, strategies like multi-factor authentication and application control saw temporary reductions in compliance as agencies adjusted to higher technical standards, such as phishing-resistant MFA and updated application rules targeting “living off the land” exploits. 

Legacy IT systems remain a challenge, with 59% of entities reporting that these older systems impede achieving full maturity. Funding constraints and lack of replacement options are primary obstacles.  

Cyber Hygiene, Incident Preparedness, and Reporting 

Data-driven programs like ASD’s Cyber Hygiene Improvement Programs (CHIPs) track the security of internet-facing systems, assessing email protocols, encryption, and website maintenance. Between May 2024 and May 2025, improvements were noted across email domain security and active website maintenance, though effective web server encryption showed a minor dip due to better identification of previously untracked servers. 

Despite strong internal preparedness, reporting of incidents remains relatively low, with only 35% of entities reporting at least half of observed incidents to ASD. In the 2024–25 financial year, ASD responded to 408 reported incidents, representing a third of all events addressed nationally.  

Leadership, Governance, and Strategic Planning 

Effective cyber resilience extends beyond technical controls. Leadership and governance play a decisive role in embedding security into everyday operations. Chief Information Security Officers (CISOs) guide strategy, advise senior management, and ensure compliance with legislative and policy requirements.  

Survey results indicate substantial progress: 82% of entities have formal cyber strategies, 92% integrate cyber disruptions into business continuity planning, and 91% have defined improvement programs with allocated funding. 

Supply chain security is another priority. Seventy percent of entities now conduct risk assessments for ICT products and services, ensuring secure lifecycle management. Agencies are also beginning to prepare for post-quantum cryptography, aligning with ASD guidance to transition encryption to quantum-resistant standards by 2030. 

Recommendations and the Road Ahead 

Both the 2024–25 PSPF Assessment Report and the 2025 Commonwealth Cyber Security Posture Report reinforce that cyber resilience is a continuous, iterative process. Key recommended actions include: 

• Fully implement the Essential Eight to at least Maturity Level 2. 

• Strengthening incident detection, logging, and reporting. 

• Addressing risks associated with legacy IT systems. 

• Integrating cyber risk assessments into supply chain decisions. 

• Preparing for post-quantum encryption transitions. 

• Maintain ongoing staff and privileged user training programs. 

Stephanie Crowe, Head of ASD’s Australian Cyber Security Centre, observed that “cyber security uplift is not a one-off exercise, it’s a continuous process.” Similarly, Brendan Dowling, Deputy Secretary of Critical Infrastructure and Protective Security, emphasized the government’s commitment to positioning itself as an exemplar in secure digital operations. 

Conclusion 

Australia has improved its cyber posture, but significant gaps remain. The 2024–25 PSPF Assessment and the 2025 Commonwealth Cyber Security Posture Report show stronger Essential Eight adoption, better incident planning, and improved governance.  

However, inconsistent Maturity Level 2 implementation, legacy IT constraints, and underreporting of incidents continue to limit overall resilience. Advancing Australian government cybersecurity now requires closing control gaps, modernizing aging systems, strengthening logging and detection, and preparing for post-quantum encryption. 

Cyble supports this effort with AI-driven threat intelligence, attack surface management, and dark web monitoring to help organizations detect and mitigate risks earlier. Schedule a demo to see how Cyble can help strengthen your organization’s cyber resilience with intelligence-led, proactive defense. 

References:

• https://www.cyber.gov.au/about-us/view-all-content/news/progress-ongoing-to-improve-the-australian-governments-cyber-resilience 

• https://www.protectivesecurity.gov.au/news/pspf-assessment-report-2024-25 

• https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/the-commonwealth-cyber-security-posture-in-2025 

The post How the Protective Security Policy Framework Shapes Australia’s Commonwealth Cyber Security Strategy  appeared first on Cyble.

For many residents in Perth, finding a rental has become a high-stakes challenge. As demand for housing surges, a troubling trend has just been revealed. An Australian housing scam preying on renters who are willing to stretch every dollar to secure a roof over their heads. These rent scams, often orchestrated by individuals posing as private landlords on online platforms like Facebook Marketplace, have left victims financially and emotionally drained. 

The scheme typically begins with a seemingly genuine rental listing. Scammers steal photos from legitimate properties and post them online, offering rent well below the market rate. In Perth, median rental prices are at historic highs, with houses averaging $700 per week and units $670. Scammers exploit this stress by pitching “exclusive” opportunities that seem almost too good to be true. 

The Mechanics of the Australian Housing Scam 

Messages from these fraudsters are carefully crafted to manipulate potential tenants. One such message promises that the apartment will be “reserved exclusively only for you” in exchange for a security deposit or “commitment fee” of just a few hundred dollars. The deposit is presented as fully refundable or deductible from the first week’s rent. In reality, once the money is transferred, the scammer vanishes, leaving victims without the property and out of pocket. 

WA Commissioner for Consumer Protection, Trish Blake, describes the situation as a “perfect playground for scammers.” She explains that the perpetrators often groom their targets by appealing to their sense of urgency and personal integrity, portraying themselves as allies to those struggling in the rental market. “They’ll tell you that you’re a real battler, that you’re a good person, and that they want to help you out,” Blake said, as reported by Nine News. 

Rising Numbers and Financial Impact 

The scale of the problem is growing. In 2025, WA ScamNet, part of the Department of Local Government, Industry Regulation and Safety, documented 20 cases of rental scams, totaling losses of $51,875, a 27 percent increase from the previous year. Scammers typically provide a property address for drive-by inspections but evade any requests for in-person viewings. To add credibility, fake rental agreements featuring official logos may be used, and tenants are pressured to pay via bank transfer, bypassing safer, traceable channels. 

Rob Mandanici, a member of the Real Estate Institute of Western Australia, stresses the emotional pressure on renters. “People have pure desperation, and they will do what they can for their family, thinking they’re doing the right thing while potentially dealing with unsavoury characters,” he said. 

Commerce Minister Dr. Tony Buti noted the heartbreak of seeing renters targeted in this way. “It is particularly heartbreaking to see scammers targeting renters because they know they are under pressure and may take risks to secure a property,” he said. He advises tenants to insist on inspecting the property in person and to treat unusually cheap rent as a red flag. 

Why Perth Is Vulnerable to Housing and Rent Scams 

Several factors make Perth an ideal environment for this type of Australian housing scam. Rental vacancies are low, demand is high, and properties are snatched quickly, often in as little as 16 days. This scarcity creates a sense of urgency among renters, which scammers exploit. 

The Cook Government has issued repeated warnings to Western Australian tenants to remain vigilant, especially when dealing with private landlords or online marketplaces. Inspecting the property before paying, verifying the landlord’s identity, and consulting licensed real estate agents are critical protection methods. 

Several practical tips to avoid falling victim to rental scams include: 

• Be suspicious of properties advertised for well below market rent. 

• Do not rely solely on photos; perform reverse image searches to verify authenticity. 

• Check the property on reputable real estate websites and contact previous listing agents. 

• Avoid landlords or listings that use the same email address for multiple properties. 

• Always inspect the property in person before signing a lease or paying funds. 

• Ensure a formal lease agreement (Form 1AA) and keys are provided before transferring any money. 

• Be cautious with direct bank transfers; only pay verified landlords or licensed agents. 

Scams can be reported through the WA ScamNet website, or further guidance on rent is available via the Consumer Protection website. The Australian housing scam in Perth is more than a financial threat; it exploits human vulnerability in a market under immense pressure.  

Renters finding high prices and fierce competition must combine caution with diligence, balancing urgency with verification. While there is no substitute for careful vetting, awareness and education remain the most effective defense against campaigns like the Australian housing scam.  

References: 

• https://www.9news.com.au/national/perth-rentals-deposit-scam-targets-desperate-renters/b505ff04-a476-4478-b248-eb903ddd5c20 

• https://www.wa.gov.au/government/media-statements/Cook%20Labor%20Government/Rise-in-rent-scams-targeting-Western-Australian-tenants--20260129 

The post Desperate Perth Renters Targeted by Rising Australian Housing Scam appeared first on Cyble.

The cyber threat environment in Australia and New Zealand experienced a new escalation throughout 2025, driven by a surge in initial access sales, ransomware operations, and high-impact data breaches. According to our Threat Landscape Report Australia and New Zealand 2025, threat activity observed between January and November 2025 reveals a complex and commercialized underground ecosystem, where compromised network access is actively bought, sold, and exploited across multiple sectors. 

The threat landscape report identifies a persistent focus on data-rich industries, with threat actors disproportionately targeting Retail, Banking, Financial Services, and Insurance (BFSI), Professional Services, and Healthcare organizations. These sectors continue to attract attackers due to the volume of sensitive personally identifiable information (PII), financial data, and downstream access opportunities they offer. 

Growth of Initial Access Sales in 2025 

A central finding of the report is the continued growth of the initial access market. Cyble Research and Intelligence Labs (CRIL) documented 92 instances of compromised access sales affecting organizations in Australia and New Zealand during 2025. Retail organizations were the most heavily targeted, accounting for 31 incidents, or approximately 34% of all observed activity. This figure is more than three times higher than that of the next most targeted sector. 

The BFSI sector recorded nine compromised access listings, followed by Professional Services with seven incidents. Combined, these three sectors accounted for more than half of all initial access listings observed in the region during the reporting period. 

This concentration reflects a strategic approach by initial access brokers. Retail and BFSI organizations routinely handle large volumes of customer data and payment information, making them valuable targets for monetization or follow-on ransomware attacks. Professional Services firms, meanwhile, often provide access to client environments, creating opportunities for supply chain exploitation. 

A Fragmented but Active Access Brokerage Market 

Analysis of the compromised access marketplace reveals a highly fragmented ecosystem rather than one dominated by a small number of major actors. The threat actor known as “cosmodrome” emerged as the most prolific seller of compromised access during the period, followed closely by an actor operating under the alias “shopify.” 

Despite their activity, these actors did not control the market. The top seven most active sellers were collectively responsible for only about 26% of the observed access listings. The remaining activity originated from dozens of individual threat actors who posted listings once or twice, suggesting a low barrier to entry and a marketplace populated by both specialized brokers and opportunistic participants. 

This structure indicates that initial access sales have become an accessible revenue stream for a wide range of threat actors, reinforcing the resilience and scalability of the underground economy. 

High-Impact Incidents Highlight Broader Risks 

Several notable incidents documented in the threat landscape report illustrate how initial access is translated into real-world impact. 

In June 2025, the threat group Scattered Spider was suspected of orchestrating a cyberattack against a major Australian airline. Attackers reportedly gained unauthorized access to a customer service portal, resulting in a data breach that exposed records belonging to nearly six million customers. The compromised data included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. 

The airline confirmed that more sensitive information, such as credit card details, financial records, and passport data, was not affected because it was not stored in the breached system. Investigators believe the incident may be part of a broader campaign targeting the aviation sector. 

In March, threat actor “Stari4ok” advertised the sale of unauthorized access to a large Australian retail chain on the Russian-language cybercrime forum Exploit. The actor claimed the access involved a hosting server containing approximately 250 GB of data, including a 30 GB SQL database with a user table of around 71,000 records. Based on the claimed annual revenue of USD 2.6 billion and the described industry, the victim appears to be a major retailer, although this has not been independently confirmed. The access was listed for auction with a starting price of USD 1,500. 

Another listing emerged in May when the threat actor “w_tchdogs” offered unauthorized access to a portal belonging to an Australian telecommunications provider on the English-language forum Darkforums. The actor claimed the access provided entry to domain administration tools and critical network information. The listing price was USD 750. 

Data Breaches and Hacktivist Activity 

Not all incidents were tied directly to access sales. In mid-April, unidentified threat actors gained unauthorized access to the IT systems of a prominent accounting firm operating across Australia and New Zealand. The organization publicly confirmed the breach, stating that some data may have been compromised and that an investigation was ongoing. While business operations continued, the firm warned clients of potential phishing attempts and obtained court injunctions in both countries to prevent the dissemination of affected data. As of the time of reporting, no threat group had claimed responsibility. 

Hacktivist activity also remained visible. In January 2025, the group RipperSec claimed to have accessed an optical-fiber network monitoring device belonging to an Australian cable and media services provider. The device was reportedly no longer supported by its vendor. As proof, the group released images suggesting internal defacement and possible data manipulation. 

Want a deeper insight into these threats? Check out Cyble’s Australia and New Zealand Threat Landscape Report 2025 or schedule a demo to see check out how Cyble can protect your organization against these threats. 

The post Initial Access Sales Accelerated Across Australia and New Zealand in 2025 appeared first on Cyble.