TL;DR

  • The ACSC and Five Eyes partners issued a joint advisory confirming the ransomware-as-a-service group INC Ransom has compromised at least 11 Australian organisations in 2026, primarily targeting SMBs in retail, healthcare, and professional services
  • ACSC ransomware detections rose approximately 27% month-over-month between January and March 2026
  • Modern ransomware encrypts critical systems in under two hours, leaving a dangerously narrow window for containment
  • Only 38% of surveyed Australian SMBs have a documented, tested incident response plan
  • SMBs using MSP-supported recovery workflows recover approximately three times faster than those attempting self-managed remediation
  • The ACSC released an updated Ransomware Playbook with a 24-hour mandatory notification requirement for confirmed encryption events

INC Ransom Is Actively Targeting Australian SMBs

The Australian Cyber Security Centre, working alongside its Five Eyes intelligence partners, published a joint advisory in March 2026 confirming that the ransomware-as-a-service (RaaS) group known as INC Ransom has successfully breached at least 11 Australian organisations this year. The majority of victims are small and medium businesses in the retail, healthcare, and professional services sectors.​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​

‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

INC Ransom operates under the RaaS model, meaning the ransomware tooling is developed by a core group and distributed to affiliates who execute the attacks. This lowers the barrier to entry for attackers and increases the volume and variety of targeting. For Australian SMBs, the practical implication is clear: you do not need to be a high-value target to be hit. Affiliates cast a wide net, and businesses without adequate defences are the easiest prey.

The ACSC's data shows ransomware detections targeting Australian SMBs rose approximately 27% month-over-month between January and March 2026. Average dwell time before detection fell from 12 days to 7 days, which sounds positive but actually indicates that attackers are moving faster and encrypting sooner — leaving less time for detection and response.​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Two Hours to Encryption

Modern ransomware campaigns are engineered for speed. The ACSC's analysis confirms that contemporary ransomware can encrypt critical business systems in under two hours from initial access. Once encryption begins, your options narrow dramatically.

This two-hour window is the practical reason why every SMB needs a documented, tested incident response plan. When ransomware hits, you cannot afford to spend the first hour working out who to call, what to disconnect, or how to preserve evidence. Those decisions need to be made in advance, written down, and practised.

The ACSC's updated 2026 Ransomware Playbook provides an interactive response checklist built around four immediate actions:

  1. Immediate network isolation — disconnect affected systems from the network to prevent lateral spread
  2. Volatile data preservation — capture memory dumps and log files before systems are powered down, for law enforcement hand-over
  3. Engagement with a vetted incident response provider — have this relationship established before the incident, not during it
  4. Mandatory ACSC notification within 24 hours of confirmed encryption — this is a new requirement in the 2026 Playbook

Only 38% of Australian SMBs Have a Tested IRP

The ACSC's survey data reveals a sobering gap: only 38% of Australian SMBs have a documented and tested incident response plan. The remaining 62% are effectively planning to improvise during a crisis.

The financial consequences are well documented. IBM's Cost of a Data Breach Report consistently shows that organisations with a tested incident response plan reduce breach costs by $2.66 million compared to those without one. For SMBs, this gap can be the difference between recovery and closure.

Early-adopter SMBs that have implemented the ACSC's Playbook-aligned response procedures report average recovery times of 48 hours. The sector average for SMBs without a tested plan is 5 to 7 days. That is the difference between a bad week and a potentially business-ending event.

MSP-Supported Recovery: Three Times Faster

Research from the 2026 ransomware recovery landscape confirms that SMBs using managed-service-provider (MSP) supported recovery workflows achieve recovery speeds approximately three times faster than those attempting self-managed remediation.

This makes sense. MSPs have the tooling, the experience, and the after-hours coverage that most SMBs lack internally. But the MSP can only execute effectively if there is a clear playbook to follow. An incident response plan that includes defined escalation paths, communication protocols, and handoff points for your MSP transforms a chaotic scramble into a coordinated response.

If you work with an MSP, the question is not whether you need an incident response plan — it is whether your MSP has one that is specific to your environment.

What to Do This Week

  1. Get a documented IRP in place. If you are in the 62% without one, this is the single highest-impact action you can take. A ready-to-deploy template can be customised and operational in 2-3 hours.

  2. Test it. A plan that has never been tested is a hypothesis, not a plan. Run a 60-minute tabletop exercise with your key staff. Walk through a ransomware scenario and identify the gaps.

  3. Establish your incident response contacts now. Know who you will call for forensics, legal advice, and regulatory notification before you need them. Add them to your plan with direct phone numbers.

  4. Verify your backup and recovery procedures. Ensure you have offline backups that are tested and current. The ACSC's Playbook emphasises that backup integrity is the single most important factor in ransomware recovery.

  5. Brief your MSP. If you use a managed service provider, share your incident response plan with them. Confirm they know their role, escalation triggers, and communication channels during an incident.

FAQ

Is INC Ransom specifically targeting Australian businesses? Yes. The joint ACSC and Five Eyes advisory specifically identifies Australian SMBs as a primary target category. The retail, healthcare, and professional services sectors are particularly affected.

How quickly does INC Ransom encrypt systems? Modern ransomware, including INC Ransom variants, can encrypt critical systems in under two hours from initial access. This makes pre-planned response procedures essential — there is not enough time to develop a plan during the incident.

Do I need to notify the ACSC if I am hit by ransomware? The ACSC's 2026 Ransomware Playbook requires notification within 24 hours of confirmed encryption. This is separate from Notifiable Data Breaches (NDB) scheme obligations, which have their own timelines.

What if I already have an incident response plan but have not tested it? An untested plan is better than no plan, but significantly less effective than a tested one. The ACSC recommends tabletop exercises at least annually. The difference in recovery time between tested and untested plans is substantial.

Can my cyber insurance help with ransomware recovery? Most cyber insurance policies require a documented incident response plan as a precondition for coverage. If you do not have one, claims may be denied. If you do, your insurer can often connect you with pre-approved incident response providers.

Deploy a battle-tested incident response plan this afternoon. The Incident Response Plan Template for SMBs includes a 25-page master IRP, 6 incident-specific playbooks, communication templates, evidence collection checklists, and a tabletop exercise kit — all aligned with the ACSC's 2026 Ransomware Playbook and NIST CSF 2.0. $47 AUD with a 30-day money-back guarantee.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation