Anubis, a ransomware group active since early 2025, has claimed responsibility for a cyber incident involving Western Australian operator Shine Aviation, adding another local case to the ransomware risk profile facing Australian organisations and their insurers. On its darknet leak site, the group posted on April 4 that it had obtained 57 gigabytes of data – more than 68,000 files – from Geraldton-based Shine Aviation.
The post alleges the data set includes employee credentials and records, scans of access cards, and airworthiness and aircraft registration certificates. “For years, any incident involving aviation or airports has carried a particular weight – and for good reason. More than two decades have passed since the Sept. 11 attacks, a defining moment in the history of civil aviation security. While systems have improved dramatically since then, no technology has yet been able to eliminate the human factor. Today, we will examine one such potential vulnerability,” Anubis said in the leak note, as reported by Australian Aviation.
The group’s statement then outlines its account of the incident and the scope of the information it claims to have obtained. “The leaked data includes a wide range of information, from details about aircraft and flights to access credentials for network infrastructure and various corporate systems used by the company,” the hackers said. Anubis also released sample files it said were drawn from Shine Aviation’s environment, including images of employee security cards and login details. At this stage, the full extent and authenticity of the data set have not been independently verified. The claims raise issues around how operational documentation, maintenance records, identity data, and access credentials are managed in regional aviation and fly-in, fly-out (FIFO) providers that support resource sector operations.
Shine Aviation is based in Geraldton, Western Australia, and provides charter flights and tours, flight training and engineering, and aircraft rental and maintenance. A substantial portion of its activity supports FIFO services for mining clients in the state’s midwest and more remote areas. “In 2011, Shine Aviation added a Beechcraft 1900D to its fleet. The 19-seat aircraft services midwest mining companies to access remote mine sites. Whilst operating predominantly in the midwest region of Western Australia, Shine Aviation offers flights and aviation services to anywhere in Australia,” the company said on its website. The operator maintains a fleet of 15 aircraft with capacity for between five and 19 passengers. A cyber incident affecting staff records, engineering and airworthiness documentation, or network access credentials at such a provider may interact with multiple insurance lines, including cyber, aviation liability, professional indemnity, workers’ compensation, and business interruption.
The Shine Aviation listing comes against a backdrop of changing ransomware patterns in the Australian market, as outlined in Sophos’ “The State of Ransomware in Australia 2025” report. The report is based on an independent survey of 3,400 IT and cybersecurity leaders at organisations that had experienced ransomware in the prior 12 months, including 191 respondents from Australia. All participating organisations had between 100 and 5,000 employees.
Among Australian respondents, 33% of attacks resulted in data encryption, below the global average of 50% and down from 49% reported locally in 2024. Data theft occurred alongside encryption in 35% of Australian cases, compared with 20% a year earlier, indicating continued use of double-extortion techniques. Exploited vulnerabilities were identified as the most common technical entry point for Australian organisations, reported in 28% of incidents, followed by phishing at 24% and compromised credentials at 21%.
Operationally, 45% cited a lack of protection as a key contributing factor, 44% pointed to limited people or capacity, and 41% said both known and unknown security gaps played a role. Ninety-eight percent of Australian organisations that experienced encryption said they ultimately recovered their data. Forty-one percent reported paying a ransom to restore access, down from 66% the previous year, while 67% recovered through backups, down from 72%.
The survey sets out cost and recovery benchmarks that are relevant to underwriting and claims assessments. Excluding any ransom payment, Australian organisations reported an average recovery cost of US$650,000 over the last year, covering downtime, staff time, device and network remediation, and lost business. This compares with US$2.37 million reported in 2024. The median ransom demand reported by Australian respondents was US$217,000, down from US$4.42 million a year earlier. Forty-seven percent of demands were for US$250,000 or more. Among the 26 Australian respondents who disclosed payment amounts, the median ransom actually paid was US$350,000, and organisations on average paid around 88% of the original demand. In 52% of these cases the payment was below the initial demand, 24% matched it, and 24% exceeded it.
Recovery timeframes also shifted. Forty-seven percent of Australian organisations said they were fully recovered within a week, compared with 36% in the previous survey period. Thirteen percent reported recovery taking between one and six months, down from 33%. Respondents also pointed to ongoing impacts on IT and cybersecurity teams where data was encrypted. Forty-eight percent reported increased pressure from senior leaders, 48% reported higher anxiety or stress about future incidents, 41% cited a sustained increase in workload, 37% reported a change in team priorities or focus, and 29% reported feelings of guilt that the attack had not been prevented.
