The Waikato DHB was paralysed by a ransomware attack earlier this year. Photo / NZME
The Kiwi cyber security firm snubbed during the early stages of the Waikato DHB ransomware attack is being celebrated overseas - again.
A New York Times investigation published this week - "A rare win in the cat-and-mouse game of ransomware" - says:
"It started in late summer, after the cybercriminalsbehind the Colonial Pipeline ransomware attack, known as DarkSide, emerged under a new name, BlackMatter. Soon after, the cybercriminals made a glaring mistake that most likely cost them tens, if not hundreds, of millions of dollars.
"Ransomware criminals encrypt a victim's data and demand a ransom payment, sometimes millions of dollars, to return access. But when BlackMatter committed a critical error in an update to its code, researchers at Emsisoft, a cybersecurity firm in New Zealand, realized they could exploit the error, decrypt files and return access to the data's rightful owners.
"Emsisoft hustled to track down dozens of victims in the United States, Britain and Europe so it could help them secretly unlock their data. In the process, the firm kept millions of dollars in cryptocurrency out of the cybercriminals' coffers."
The NZ-registered Emsisoft is owned by its CEO, Christian Mairoll, who relocated from Austria to a lifestyle block in Nelson in 2014. From the top of the South Island, he oversees a team of 40, dotted around the world. Among other things, they develop decryption tools, which help ransomware-hit organisations retrieve their files without paying off cyber attackers.
In early May, Emsisoft earned a namecheck in the Irish Times, and nod from the head of Ireland's Cert (Computer Emergency Response Team) after it helped that country's healthcare system recover from a major ransomware attack.
Later the same month, the Waikato DHB was paralysed by a ransomware attack.
Nine days into the incident, Emsisoft CTO Fabian Wosar told the Herald his company offered to help the DHB - but simply hadn't heard back.
Emsisoft had nothing further to add today, but at the time, Wosar was diplomatic, saying "As you can imagine, ransomware breaches are somewhat chaotic. There are often a lot of external contractors involved, insurances, lawyers, law enforcement, regulatory and public agencies, and obviously the victim. It's not always easy to pierce through all that noise and get to the key decision-makers we need to reach, since their attention is often occupied by all the general chaos and triaging going on."
Wosar added that organisations hit by ransomware are understandably paranoid when a company they've never heard of offers to help.
That theme re-emerged when two big US agricultural businesses were hit by ransomware last month - NEW Cooperative, an Iowa grain co-operative, and Crystal Valley, a Minnesota farming supply co-operative.
In those cases, "To assuage victims' concerns, Emsisoft researchers asked their contacts at cybersecurity companies and government agencies around the world to vouch for them," the New York Times noted.
Both co-operatives recovered quickly, suggesting that Emsisoft might have helped. Neither company returned requests for comment (and Emisoft itself does not identify victims).
Eric Goldstein, the executive assistant director for cybersecurity at the federal Cybersecurity and Infrastructure Security Agency told the Times that the NEW Cooperative and Crystal Valley recovery effort is a model for public and private collaboration.
Goldstein's agency is trying to develop a comprehensive "whole of nation" plan to address cyberthreats, particularly for "critical infrastructure", most of which is owned by the private sector.
In New Zealand, the GCSB and other Government agencies work with private sector players, too. But local industry lobby group NZRise has warned that our bureaucracy sometimes suffers "cultural cringe" when awarding work. Security is one of many areas where the large multinationals are not necessarily the best choice, or at least should not be seen as the only choice.