Classic weak points were identified, including untrained staff, unpatched server software and unaddressed vulnerabilities in software used to access the office from afar, and virtual private network software -which has legitimate users, but that staff could use, for instance, to beat geo-restrictions around a stream of a sports event.
On the plus side, 48% of the NZ organisations surveyed had a “zero trust” policy, versus the Asia Pacific average of 40%. The policy involves trusting no one inside or outside your organisations - in practical terms, that means incessant use of two-factor verification, by text message or authentication app when accessing services or files.
All the organisations had had a rise in ransomware over the past 12 months. But notwithstanding the number who had forked over cash to a hacker, NZ organisations are around one-third less likely to pay a ransom, according to the survey.
Emerging AI threat
Other challenges faced by respondents included a lack of cybersecurity talent (32%), and the emerging threat posed by AI (35%).
AI makes it easier for amateurs to throw a ransomware attack together. It also allows professions to use sophisticated new tactics such as real-time audio or even video-call imitations of a staff member - such as the attack that targeted the CFO at Zuru Toys.
“Prepare for AI fuelling a multiplication and intensification of attacks: AI is here to stay so CISOs [chief information security officers] need to identify ways to combat the increase in cyberthreats that this technology will engender,” Cloudflare’s report on the survey says.
“Cybersecurity leaders should be wary of simply outsourcing the problem, but there is definitely a case for examining talent models, governance frameworks, compliance or the terms of engagement with third-party vendors to see how best to keep organisations safe.”
Cloudflare is not to be confused with Cloudstrike, the security firm that created global havoc with a software upgrade that took offline millions of computers controlling retail, airline, bank and other sectors this year.)
Police: Don’t pay
Police, Cert NZ and other agencies advise against paying a cyber-ransom, on the basis it incentivises further offending, that there’s no guarantee you’ll get your data back - or that copies won’t be used to blackmail you or your customers - and that gangs use revenue from cybercrime to help fund offending in areas such as drugs and human trafficking.
Legal to pay ...
While there’s nothing black-and-white about ransomware on New Zealand’s statute books, former Auckland University Law Professor Bill Hodge told the Herald: “The Crimes Act was written in an age when a ransom was only demanded for a person, not data. But my reading is that it would not be illegal to succumb to a hacker’s demands and pay a ransom. It would be almost impossible for police to mount a prosecution.”
The previous Government, and the current one, have opposed making it illegal to pay a cyber-ransom, saying it would criminalise the victim.
The Crown has tightened up its own act, however.
“Cabinet has agreed that government agencies should not pay cyber ransoms,” the Government’s guidance reads.
“The New Zealand Government strongly discourages the payment of ransoms to cybercriminals, and urges all victims to report any cyber ransom incidents to the relevant agencies, regardless of whether a ransom is paid.”
An update to the Privacy Act 2020 made it mandatory to report any serious data breach to the Privacy Commissioner.
... unless Russia is involved
Many major ransomware gangs are based in Russia, according to analysis by security firms who have noted groups using Cyrillic script in communications, among other pointers. And Russian nationals have featured strongly in the handful of arrests related to ransomware attacks.
New Zealand’s spooks think so too. “The Government Communications Security Bureau has established clear links between the Russian Government and a campaign of malicious cyber activity targeting overseas political institutions, businesses, media and sporting organisations,” the GCSB said in a report issued before the Ukraine invasion. The Putin regime has since encouraged more malicious attacks, according to industry experts.
The war led New Zealand’s Parliament to pass the Russia Sanctions Act 2022, which means paying a cyber ransom could now constitute breaking sanctions and could result in criminal penalties of:
- Up to seven years in prison and/or a fine of $100,000 for individuals; and
- A fine of up to $1 million for organisations.
There’s a big qualifier, however. Ransomware gangs use a lot of tricks to mask the origin of any given attack, and demands are always made in bitcoin, the cryptocurrency not tied to any country. So proving a payment had been made to a party in Russia would be difficult to prove.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
