QBE warns cyber attacks are speeding up in Asia-Pacific

QBE has reported a sharp shift in cyber risk patterns in early 2026, with attacks unfolding faster and hitting Australia and the Asia-Pacific region more often.

Its first-quarter cyber threat intelligence points to shorter periods between an attacker gaining access to a network and launching ransomware, a broader geographic spread of attacks, larger volumes of stolen data, and a rise in scams that use multiple channels to manipulate staff.

Ransomware incidents now move far more quickly than they did a few years ago. Since 2021, the average time between initial access and ransomware deployment has fallen by about 70 per cent, from roughly 100 minutes to around 30 minutes in recent cases, according to QBE.

In some cases, attackers encrypted thousands of endpoints across an organisation in less than 10 minutes. That leaves security teams with far less time to detect an intrusion, investigate activity, and contain the damage before systems are disrupted.

Regional shift

Cyber activity is no longer as heavily centred on the United States as in the past. Instead, ransomware and other attacks are becoming more evenly spread across regions, with Australia now ranked among the 10 most targeted countries worldwide.

For local organisations, that marks a shift. They are now firmly in scope for financially motivated cyber crime rather than sitting on the edge of global targeting patterns. QBE also says newer criminal groups are turning their attention to Asia-Pacific markets, where they see room to operate with less competition from more established actors.

Another trend in the quarter was the scale of data theft. Attackers are not only locking systems but also extracting large amounts of sensitive information before deploying ransomware, increasing pressure on victims during and after an incident.

One case in New Zealand involved the theft of about 1.5 terabytes of data, likely close to the victim organisation's entire data environment. Larger thefts can raise forensic and recovery costs, increase regulatory exposure, and prolong reputational damage even when systems are later restored.

Human tactics

Attackers are also making greater use of human-led techniques alongside technical methods. These include campaigns that combine phishing emails with phone calls and text messages to persuade employees to hand over credentials or approve access requests.

About 11 per cent of ransomware incidents now include a voice element. That reflects a move away from attacks that rely only on software weaknesses and towards methods that exploit trust, urgency, and employee behaviour.

Some of these approaches are being strengthened by AI-generated impersonation, adding another layer of complexity for organisations trying to verify who they are dealing with. The shift means cyber risk is increasingly tied to identity management, internal processes, and staff awareness as much as technical defences.

Dominic Keller, global head of cyber services at QBE, said the speed of attacks had become one of the clearest changes in the threat landscape.

"The most striking shift we're seeing is how quickly cyber incidents now escalate. In many cases, the window between an attacker gaining access and significant disruption is measured in minutes rather than days, which fundamentally changes how organisations need to think about cyber risk," he said.

He also pointed to the broader spread of attacks across geographies and methods.

"Cyber crime is no longer concentrated in one market or region. Australia and the Asia-Pacific region are increasingly in scope, and attackers are combining technical methods with human-led tactics to increase the scale and impact of incidents," Keller said.

The findings come as companies face growing pressure to treat cyber security as an operational resilience issue rather than a narrow technology problem. Faster incidents and larger data thefts can affect business continuity, customer relations, and regulatory obligations at the same time.

That places more emphasis on preparation, rapid decision-making, and recovery planning. QBE argues resilience now depends less on any single control and more on how well organisations understand and reduce risk, and how ready they are to manage a fast-moving breach.

Keller said that broader shift has changed how organisations need to frame the issue internally.

"Now more than ever, cyber risk has become a resilience challenge. Preparation, visibility and the ability to recover quickly are now just as important as prevention," he said.

He added that insurance can extend beyond financial support after an incident.

"Effective cyber insurance is not just about what happens after an incident. By helping organisations better understand risk, test decision-making, and prepare leadership teams, insurers can play a meaningful role in reducing disruption and strengthening resilience," Keller said.