A recent series of claims by the Qilin ransomware group is prompting closer attention from cyber insurers, brokers, and risk managers as they assess how extortion campaigns are affecting Australian organisations and insurance portfolios. Since late January, the ransomware-as-a-service (RaaS) operation has listed four Australian businesses on its darknet leak site in less than a month. Three are based in Western Australia and one in Queensland, indicating that regional and mid-market organisations remain part of the targeting profile for financially motivated threat actors.
At the end of January, Qilin named Western Australian electronics retailer Esperance Communications as a victim, according to cyberdaily’s report. The post did not include data samples, screenshots, or other technical indicators, and no further detail has been added. On Feb. 11, the group listed Mount Barker Co-operative, also in Western Australia. Qilin actors claimed they had taken about 40GB of internal data and more than 55,000 files. They later asserted that the data had been released, but the associated link now returns a “404 Not Found” message, leaving uncertainty about what, if anything, is accessible.
A third Western Australian firm, Esperance Metaland, appeared on the site on Feb. 21. The group alleged that 14GB of data and more than 16,000 files were removed, but no proof-of-compromise has been shared. A fourth listing, involving a Queensland-based business, was added on Feb. 22 with no information on data volume or file count and no visible leak. None of the named organisations has made a public statement in response to the allegations. For insurers, brokers, and incident responders, the absence of confirmation and technical evidence reflects a broader feature of current extortion activity: attackers can exert pressure and create uncertainty without immediately demonstrating that data theft or encryption has taken place.
Qilin operates under a RaaS model in which affiliates carry out intrusions using the group’s tools and infrastructure, sharing any ransom proceeds. Research by cyber security firm ThreatLocker indicates that Qilin’s operations have expanded since it was first observed in 2022, when it claimed 45 victims, to more than 800 victims in 2025. “Qilin utilises a variety of methods to establish malicious connections and persist on an unsuspecting network. Historically, their dwell time has an average of 19 days, but may be extended for further enumeration and discovery on a target. Established communication to a command and control server provides the means necessary to spread and execute their ransomware binary throughout a network,” ThreatLocker said in a November 2025 report.
Some commentators have suggested that Qilin may sometimes rely on misconfigured or exposed databases rather than complex intrusion techniques. However, code analysis of its malware indicates that, once deployed, it is capable of moving within a network and encrypting systems. Underwriting and security specialists note that a reported 19‑day average dwell time gives intruders an opportunity to scan environments, locate backups, and review data holdings before they initiate an overt extortion phase, which can affect the scale and nature of losses.
The latest Qilin activity sits against a national backdrop in which cyber incidents remain frequent and financially significant for businesses. In the 2024-25 financial year, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) received more than 42,500 calls to the Australian Cyber Security Hotline, a 16% increase on the prior year. The centre responded to over 1,200 cyber security incidents, up 11%. Entities were notified more than 1,700 times of potentially malicious activity on their networks, an 83% rise year-on-year.
Self‑reported financial losses linked to cybercrime also increased. Average losses per business cybercrime report rose by about 50% to roughly $80,850. Large organisations reported an average of $202,700 per incident, an increase of more than threefold, while small and medium enterprises reported average losses of $56,600 and $97,200 respectively. Identity fraud remained the most commonly reported cybercrime type, and about 11% of incidents handled by ASD’s ACSC involved ransomware, a similar proportion to the previous year. Incidents involving denial-of-service or distributed denial-of-service attacks rose by more than 280%. These figures indicate that both the volume of activity and the potential financial consequences remain material considerations for insurance buyers and carriers, including in sectors with high data concentrations and operational dependency on digital infrastructure.
Gallagher has linked the early stages of cyber incident response to both operational outcomes and insurance issues. The firm notes that a cyber incident is reported in Australia about every six minutes, meaning organisations may need to make decisions under time pressure when responding to an attack. The brokerage’s cyber and technology specialists report that ransomware and extortion incidents now frequently involve data exfiltration as well as, or instead of, system encryption. Even when systems are restored from backups, attackers may threaten to release information, extending the incident from a technical disruption to legal, regulatory, and reputational consequences. According to the firm’s guidance, initial steps usually include isolating affected systems, protecting backups and privileged accounts, preserving forensic artefacts, and engaging specialist incident response providers. Gallagher also notes the value of a defined internal decision-making structure so that technical, legal, communications, and insurance workstreams are coordinated rather than handled separately.
Where ransom demands are made, Gallagher says specialist negotiators may support organisations by testing claims that systems can be decrypted, confirming whether data has been taken and, in some cases, narrowing the amount sought. Some victims choose to restore systems without paying; others compare a reduced demand with the expected cost of extended downtime, restoration, and regulatory activity. Any decision to pay is constrained by Australian law. The Autonomous Sanctions Act 2011 and the Criminal Code prohibit providing funds to designated persons or terrorist organisations, including entities linked to modern slavery or human trafficking. Since May 2025, entities with annual turnover of at least $3 million must also notify the ASD within 72 hours if they make a ransomware payment. Under the Privacy Act and the Notifiable Data Breaches scheme, organisations must assess whether a breach is likely to result in serious harm and, if so, notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. Gallagher warns that delays or inconsistent communication can add to legal risk and complicate claims handling.
The combination of Qilin’s recent listings, national incident data, and evolving regulatory settings reinforces the focus on preparation before an event. Organisations that have developed and tested incident response plans, clarified internal roles, and pre‑arranged access to technical, legal, and communications advisers are often able to respond more quickly in the first 48 hours after a breach is identified.
Cyber insurance policies are increasingly used not only for financial recovery but also as a channel to incident response support, including forensic investigation, legal advice, crisis communications, and extortion negotiation services arranged through insurer or broker panels. Clarifying policy conditions, panel processes, and notification expectations in advance can support more predictable outcomes when an incident occurs.
The Qilin cases, in which alleged data theft has not yet been publicly substantiated, also underline a practical issue for the market: insureds and insurers may be required to make decisions on extortion, notification, and remediation based on partial information. This environment increases the importance of timely triage, clear governance structures, and coordination between risk, legal, and security functions when a client appears on a ransomware group’s leak site.
