Australian Ransomware Report Q1 2026: Healthcare and Local Government Hit Hardest

The Numbers Don't Lie

Compiled from ACSC incident reports, cyber insurance claims data, and threat intelligence shared across Australian ISACs, the Q1 2026 data is, frankly, alarming. Confirmed ransomware incidents are up 34% compared to the same period in 2025. Average ransom demands have climbed to $8.7 million — from $6.2 million last year — as groups sharpen their targeting to focus on organisations with both deep pockets and genuine operational pressure to restore services quickly.

Two figures in particular stand out. The first: 51% of Q1 incidents involved data exfiltration before encryption was deployed, meaning victims faced not just an operational outage but the active threat of sensitive data being published. The second: the average time from initial network access to ransomware deployment has compressed to 72 hours, down from 96 hours in 2025. Attackers are spending less time inside victim environments before they pull the trigger — a sign that affiliates have become more efficient, and that early detection is now the only reliable window for intervention.

Perhaps most discouragingly, 38% of victims paid. Despite repeated law enforcement warnings that payment funds future attacks and provides no guarantee of data deletion, more than one in three Australian victims chose payment over recovery. This figure has remained stubbornly persistent for three consecutive quarters.

Dominant Threat Groups

Qilin (Agendacrypt)

Qilin has emerged as the dominant ransomware group targeting Australian organisations in 2026, responsible for an estimated 31% of all confirmed incidents. The group, believed to operate from Eastern Europe, has developed particularly effective tooling for targeting healthcare environments and has demonstrated deep knowledge of healthcare-specific software including electronic medical record systems and medical imaging platforms.

Qilin's affiliate model has proven effective at recruiting operators with specific sector expertise, enabling more targeted attacks that cause greater disruption and create stronger pressure to pay. The group's ransom demands in healthcare environments have averaged $12.3 million — nearly 42% higher than their average demand across all sectors.

BlackSuit

BlackSuit (the successor to Royal ransomware, itself believed to be connected to the former Conti group) has been responsible for 24% of Australian incidents in Q1 2026. The group has been particularly active against local government targets, likely because of the combination of sensitive community data, limited security budgets, and political pressure to restore services quickly that characterises this sector.

BlackSuit has demonstrated a pattern of extended dwell time in local government networks — averaging 45 days from initial access to ransomware deployment — using this time to identify and target backup infrastructure specifically, severely limiting victims' ability to recover without paying.

RansomHub

RansomHub, a newer entrant that emerged in early 2024, accounts for 18% of Q1 2026 Australian incidents. The group operates as a ransomware-as-a-service (RaaS) platform and has rapidly grown its affiliate base by offering unusually favourable revenue sharing terms (90% to affiliates vs the typical 70-80%). RansomHub affiliates have been responsible for attacks on several mid-market Australian professional services and manufacturing firms.

Sector Deep Dive: Healthcare

Healthcare has been the most heavily targeted sector in Q1 2026, with confirmed incidents at hospitals, primary care networks, pathology providers, and specialist clinics across all states and territories. The reasons for this targeting concentration are well understood by threat actors:

• Critical service dependency: Healthcare organisations cannot tolerate extended system outages without patient safety implications, creating maximum pressure to pay
• Sensitive data value: Medical records command premium prices on dark web marketplaces, providing secondary monetisation opportunities
• Security maturity gap: Many healthcare organisations — particularly smaller regional hospitals and primary care networks — have significantly under-invested in cybersecurity relative to the sensitivity of the data they hold
• Legacy systems: The healthcare sector's reliance on specialised legacy software creates exploitable vulnerabilities that cannot be quickly remediated

The most significant Q1 2026 healthcare incident involved a major metropolitan hospital network that experienced a Qilin attack resulting in the diversion of ambulances and cancellation of elective surgeries for 11 days. The incident, which has not been publicly attributed, is reported to have cost the health system in excess of $28 million in recovery costs and operational impact.

Sector Deep Dive: Local Government

Local councils have been targeted at an unprecedented rate in Q1 2026, with confirmed incidents across both metropolitan and regional councils in NSW, Victoria, Queensland, and Western Australia. The BlackSuit group's focus on council targets reflects a deliberate strategic choice to target organisations that:

• Hold sensitive personal data on large populations (rates, building applications, parking infringement records)
• Operate essential community services (waste management, planning, licensing) that cannot be suspended indefinitely
• Have limited IT security budgets relative to their data custodial responsibilities
• Face public accountability pressures that may accelerate payment decisions

State government cyber coordination units in NSW and Victoria have both issued updated threat advisories for the local government sector and are offering incident response support through pooled contracts.

How They're Getting In

Phishing remains the dominant initial access vector at 41% of Q1 incidents, but the nature of phishing has shifted considerably. AI-generated phishing content — personalised, grammatically flawless, and often contextually specific to the recipient's role and organisation — has measurably improved credential harvesting success rates. Traditional security awareness training built around spotting typos and generic lures is increasingly inadequate against this new generation of social engineering.

The second and third most common vectors — exposed RDP (22%) and VPN vulnerability exploitation (19%) — share a common thread: both represent internet-facing access infrastructure that was either misconfigured or unpatched. The FortiGate zero-day disclosed in March 2026 contributed significantly to the VPN exploitation figure, with ransomware affiliates moving within hours of proof-of-concept code becoming available. This is a recurring pattern. Vulnerability disclosure creates a window measured in hours, not days, before ransomware groups begin weaponising the flaw.

The most troubling trend in the Q1 data is the growing contribution of third-party access compromises, now accounting for 11% of incidents. Ransomware groups have identified managed service providers, IT outsourcers, and other vendors with trusted access to multiple client networks as extraordinarily efficient targets — a single compromised MSP can provide access to dozens of downstream victims simultaneously. This vector is expected to grow significantly through 2026.

What High-Risk Sectors Must Do Differently

Healthcare: Clinical Isolation is Non-Negotiable

The single most impactful control for Australian healthcare organisations right now is network segmentation that isolates clinical systems — electronic medical records, medical imaging, clinical decision support — from administrative networks and internet-facing infrastructure. The Qilin attacks that disrupted the metropolitan hospital network in Q1 succeeded precisely because flat network architectures allowed the ransomware to propagate from an initially compromised administrative workstation into clinical systems within hours.

The second priority is backup integrity. Not backup existence — virtually every organisation that was attacked had backups. The problem is that connected backups are routinely targeted and encrypted or deleted before the ransomware payload is deployed. Air-gapped or immutable backup infrastructure, with regular tested recovery exercises, is the difference between a contained incident and a multi-week outage. Healthcare organisations should also engage the ACSC's health sector liaison program for threat intelligence specific to their environment — the ACSC has sector-specific IOCs and early warning capability that is not available through commercial channels.

Local Government: Pooled Resources Are the Only Viable Path

The brutal reality for many regional and suburban councils is that they cannot individually afford the security capabilities that the threat environment now demands. State government cyber coordination programs — pooled security operations, shared threat intelligence, and incident response support through state-managed contracts — offer the most practical path to meaningful protection for councils with constrained IT budgets.

Within those constraints, the immediate priority should be MFA across all remote access and email systems. This is the single control most likely to prevent initial credential access, and it is achievable without specialist expertise or significant capital outlay. The second priority is asset visibility: councils consistently overestimate how well they understand their internet-facing attack surface. Legacy web applications, forgotten administrative portals, and out-of-support content management systems are exactly what BlackSuit's reconnaissance tooling is designed to find.

CyberSec.au Assessment

Q1 2026's ransomware statistics represent a trajectory that, without significant intervention, will continue to worsen. The combination of increasingly capable and organised threat groups, a large pool of vulnerable targets in high-pressure sectors, and the persistent economic incentive of ransom payment creates a feedback loop that rewards continued investment in ransomware operations.

The 38% payment rate is particularly concerning. Every ransom payment directly funds the next wave of attacks. Australian organisations that pay ransoms — even when it seems like the only viable path — are collectively contributing to the problem. Investment in prevention, detection, and resilient recovery capabilities is both the ethical and economically rational response to this threat.