Action required if payment is made
Coordination benefit
Summary
If an entity makes a ransomware payment, prompt reporting supports national coordination, situational awareness, and disruption activity.
Reporting does not indicate wrongdoing and does not remove other obligations, including privacy breach assessment and notification requirements.
When this applies
This advisory applies when a ransomware payment is made, including through intermediaries such as insurers, incident response providers, or negotiators.
It also applies if payment is arranged offshore on behalf of the entity.
What to report
Provide, where available:
- Payment date and time, and payment method (for example, cryptocurrency type).
- Demand amount and paid amount (including any staged payments).
- Wallet addresses or payment instructions supplied by the threat actor.
- Known communications channel used by the threat actor (portal, email, chat).
- Any artefacts received (decryptor, keys, “proof” files, leak threats).
Important notes for decision-makers
- Payment does not guarantee decryption, data deletion, or non-disclosure.
- Payment can increase targeting risk, including repeat extortion.
- Do not assume a lack of evidence means no data disclosure. Treat exfiltration claims as uncertain until assessed.
- Payment decisions do not remove OAIC Notifiable Data Breaches obligations. Privacy assessment should proceed in parallel.
Recommended coordination steps
- Preserve logs and communications to support attribution and disruption activities.
- Maintain a clear internal record of payment decision-making, including risk trade-offs considered.
- Coordinate public messaging to avoid amplifying unverified claims.