Netstar Australia has been named on a ransomware leak site, with threat actors claiming to have stolen a large volume of data from the Melbourne-based telematics provider, in an incident likely to be closely watched by cyber and financial lines insurers.
In December 2025, the Black Shrantac ransomware group listed Netstar Australia on its dark web leak site and alleged it had infiltrated the company’s systems and obtained customer, financial, and database information. The firm provides GPS fleet tracking and telematics services to Australian organisations and supplies several fleet management platforms to business customers.
Cyber Daily reported that Black Shrantac claimed to have taken 800GB of data and said it would publish the material “soon”. The group has already posted sample files said to include internal records relating to staff, tax, equipment, and customers, with alleged names, contact details, bank information, contract terms, and insurance-related information. Netstar Australia has been contacted by media outlets for comment, but no detailed public statement had been reported at the time of writing. For insurers, the incident illustrates potential aggregation risk when a technology vendor with multiple business clients is compromised, with possible implications for privacy notifications, contractual liabilities, business interruption, and cyber policy response for both the provider and its customers.
Black Shrantac is understood to be a relatively new ransomware group first identified in September 2025. Public reporting indicates the group has listed 26 victims across markets including the US, Turkey, Indonesia, India, Peru, and Bulgaria, with Netstar described as its first known Australian case.
Open-source analysis suggests the operation has focused on data theft and extortion, releasing detailed data samples to increase pressure on victims. Security sources report that the group’s ransom note states victim data has been both stolen and encrypted, and instructs organisations not to restart or modify devices because this could interfere with decryption. Unlike some established ransomware operations, Black Shrantac does not appear to maintain a public profile or “about” page, leaving limited information on its internal structure, affiliations, or approach. That lack of detail may complicate attribution and sanctions assessments for affected entities, their brokers, and insurers.
The Netstar case comes amid broader concern about identity compromise and ransomware among Australian organisations. Rubrik’s Rubrik Zero Labs report, “Identity Crisis: Understanding & Building Resilience Against Identity-Driven Threats,” found that 35% of Australian respondents had at least one ransomware incident in the previous 12 months, the highest share globally in that dataset. Among those affected, 95% reported paying a ransom, either to regain access to data or to stop the incident. For cyber insurers, the combination of high reported incident rates and high payment rates signals substantial exposure to incident response, legal, and regulatory costs.
Despite frequent ransom payments, Australian organisations reported lengthy restoration periods following ransomware events. No firm in the Rubrik sample said it could restore normal operations within one hour of an attack, and nearly 23% reported that recovery took more than 24 hours. Looking ahead to a major compromise scenario, no Australian respondent expected to fully restore service operations within 12 hours, while 34% anticipated that recovery would require at least a week. More than 78% said it would take longer than 24 hours to recover identity infrastructure after a breach. These reported timelines have implications for cyber underwriters, given the use of business interruption, extra expense, and contingent interruption cover in cyber and package policies. Extended outages can increase claim sizes, particularly for organisations relying on continuous data flows, logistics systems, or digital platforms.
Other studies point to recurring ransomware and cyber incidents across Australia and the wider region. Opentext Cybersecurity reported that 40% of Australian organisations experienced at least one ransomware event in the past year, with nearly half of those targeted on multiple occasions. One-third of affected organisations chose to pay, and 41% of those payments exceeded US$250,000. Some businesses did not achieve full restoration despite paying, indicating that ransom expenditure does not ensure data recovery or operational continuity.
A separate survey for Arctic Wolf found that 85% of organisations in Australia and New Zealand reported at least one cyber incident in the previous year, compared with 76% globally. Respondents in the region were also more likely to pay extortion demands, with almost 75% acknowledging payments to avoid data disclosure. Of those, 91% said they used external negotiators, but fewer than half reported securing a reduced ransom amount. For insurers, these findings point to continuing patterns of frequent attacks, repeat victimisation, and mixed recovery outcomes, with implications for loss experience, pricing, and underwriting criteria in cyber and financial lines.
