Fairfield City Council initially disclosed the incident on 16 October 2025, when staff discovered unauthorised access to their IT systems. The western Sydney council moved quickly to contain the damage. Unnamed persons claiming to be part of a named group gained unauthorised access to the servers and encrypted them with ransomware around 8 October 2025.
What happened next reveals something important about how local government is learning to confront cyber criminals. The hacker claimed in the chat room that in return for a ransom payment, a decryptor would be supplied and no further attacks would be made against the council. However, the council refused to pay.
Rather than capitulate to extortion, Fairfield City Council took the matter to court. Orders have since been served to the threat actor, via the chat room, restraining them from placing any information or material from the impacted dataset at any location on the internet or transmitting, publishing, or disclosing any information or material from the impacted dataset to any person. The court also directed the threat actor to remove all data from all accessible internet locations, including dark web locations.
The approach appears to be working. As of Fairfield City Council's February update and the court documents published in March, the impacted data has not yet been published on either the clear or dark web.
This decision reflects a harder line against ransomware operators. From 30 May 2025, certain Australian businesses or organisations who suffer a ransomware or other cyber extortion incident must report to the Australian Signals Directorate (ASD) within 72 hours if they pay a ransomware or other cyber extortion demand. The government has made clear that tougher penalties up to AUD$50 million now apply, with proposals to ban ransomware payments.
Fairfield City Council is not alone. Local councils in Queensland and NSW have been disrupted by ransomware and data theft. The ACSC responded to over 1,200 cybersecurity incidents, an 11% increase in the 2024-25 financial year. The threat is persistent and evolving. In 2026, attackers are escalating tactics, moving beyond data theft to manipulation, such as altering permit records or health data to sow chaos. With elections looming in some jurisdictions, risks extend to electoral systems and disinformation campaigns.
The council's refusal to pay the ransom is a pragmatic choice. Paying ransoms funds criminal operations and offers no guarantee that stolen data will be deleted. By contrast, the court injunction approach creates legal liability for the hackers if they publish the data. It also signals to other threat actors that Fairfield City Council will not be an easy target for extortion.
For readers in other councils or organisations facing similar threats, the lesson is clear: The Ransomware Playbook is a practical step-by-step guide designed to help individuals, businesses and organisations prepare for, respond to, and recover from ransomware incidents. It consolidates advice and resources from across government and industry into one accessible tool. The Australian Signals Directorate offers this resource at cyber.gov.au.