The minimum figure for the total cost of these attacks — ransom demand plus downtime costs — to Australia was US$269.7 million, while Emsisoft's estimate was US$1.07 billion.
In a blog post, the company said it had derived these figures partly from third-party statistics which could be based on limited dataset.
"While our calculations are almost certainly under- or over-estimates, they nonetheless provide a clear indication of the enormous economic toll that ransomware is taking," Emsisoft threat analyst Brett Callow said.
New Zealand saw a much smaller number of attacks, 467, and the minimum cost — the ransom demanded — was US$6.4 million, while the estimated cost was US$25.8 million. Looking at total costs for NZ, the figures were US$43.8 million (minimum) and US$175.3 million (estimated).
Emsisoft, which in December released a report about the scale of ransomware attacks on the US public sector, calculated the cost of ransomware attacks for 10 countries.
The number of ransomware attacks was taken from submissions to the identification service ID Ransomware. "Every submission to this service represents a confirmed incident, and there was a total of 452,151 submissions during 2019," the company said.
However, since about 50% of submissions were about a strain of ransomware known as STOP, which mainly affects home users of Windows and demands a ransom below the average amount, Emsisoft cut the submission number by half when making its calculations.
There other aspects factored in. "We believe that only approximately 25% of public and private sector organisations affected by ransomware use ID Ransomware," the company said, adding that because of this it would provide two cost estimates: a minimum cost based on 50% of the actual number of submissions and an estimated cost based on that reduced number x4.
Emsisoft found that the average ransom demand was US$84 and a third of all companies who were attacked paid up.
As to the figure used for calculating the cost of downtime, Emsisoft said it had taken a conservative figure of US$10,000 per day - even though the technology research firm Gartner had, back in 2014, put the downtime cost at US$5600 per minute.
"This figure (the US$10,000 per day) has no basis in reality and we have included it simply to illustrate the enormity of the costs," Emsisoft said.
"The actual costs are almost certainly much higher. As downtime is experienced whether or not a ransom is paid, the minimum cost is based on 50% of the submissions to ID Ransomware while the estimated cost is based on that reduced number x4. As above, we have reduced the numbers by 50% to exclude STOP from the calculations."