Wealthy private schools holding valuable personal data are increasingly being targeted by hackers according to Australia's cyber spy agency which has highlighted "evolving" online threats in its latest threat assessment.

The Australian Signals Directorate's (ASD) annual Cyber Threat Report warns the average cost of cybercrime to small businesses was almost $50,000 in the past financial year, but the number of overall incidents is roughly the same as 12 months ago.

The ASD received 87,000 reports of cybercrime over the past financial year and responded to 121 ransomware incidents, up 3 per cent on the previous 12 months.

Abigail Bradshaw, the director-general of the ASD, highlighted the risk to businesses which hold a lot of Personal Identification Information (PII) when releasing the agency's annual cyberthreat report.

Ms Bradshaw told reporters her agency had seen a lot of real estate and aged care facilities being targeted, as well as other businesses which hold vast amounts of valuable customer data including private schools.

"A school might keep, for example, sensitive records of children or other details, and then the threat will be, 'Pay the ransom or the actor will publish data on the dark web.'"

According to the ASD's report, one case in the past year involved the Association of Independent Schools in New South Wales which was alerted to malware lurking on their system.

The malware, named "Gootloader", infected the system when an employee searched online for the education sector's enterprise agreement.

The employee clicked on a link to a fake site that had been sponsored to show up as a top search result, which sent them to a "honey pot" website designed to look like an online forum.

They downloaded a file that they thought was a copy of the enterprise agreement posted by a forum user, which according to the ASD "executed the Gootloader payload", and allowed criminals to have persistent access to the schools' network for three days.

While the ASD says that access wasn't used to take over the network, the agency believed it may have been positioning to on-sell that access to another cybercriminal to use for ransomware.

The agency says fortunately in that case, within two hours of the NSW Association of Independent Schools being alerted to Gootloader by the ASD, it had isolated the infected device and contained the issue.

Responding to the report, Defence Minister Richard Marles said Australia was seeing "a significant level of cyber threat" including an "increased focus on cyberattacks on critical infrastructure, both from criminal actors but also state actors".

"We have seen in the course of the last year that the cost of each of those incidents is going up, so an 8 per cent increase for small businesses, 17 per cent increase for individuals."

Australian companies are again being urged not to pay hackers when they are hit by ransomware attacks, with the ASD warning there is no guarantee it will help them to recover lost data.

Mr Marles said businesses need to be wary of the "evolving threat" and to also evolve their defences because "you can't just simply set and forget your cyber defences".