In the wake of the Waikato DHB attack, a look at where ransomware comes from, the problems one insider sees with the GCSB's efforts, the companies who've coughed up, how our defences compare to Australia and more.
What is ransomware?
Ransomware is software that encrypts files on a company's network,rendering them inaccessible. The cyber attackers who planted it then demand a money to decrypt the data - in the order of hundreds of dollars if you're an individual, or millions if you're a large organisation. Attackers will also typically lock admin accounts - the better to undermine restoration efforts - and lock users out of digital phone systems (that is, all phone systems these days), email, databases and other services.
How does it get in?
Attackers trick staff into inviting it in, usually by clicking on a malicious email attachment which might be imitating a regular invoice or other file you're used to seeing - so you have to be hyper-alert to anything suspicious about an attachment. And unfortunately, that also applies to email from people in your address book. Hackers like to hijack an email account - so you receive a message from a known, trusted address, but sent by a hacker with a malicious attachment or website link.
The attackers often take control of admin accounts at the same time, locking out an organisation's IT staff so they can delete backups on a company's network, or on a cloud-based service. That's why a government agency called Cert (the Computer Emergency Response Team) recommends a "cold backup". That is, at least one backup of your files that's stored offline - although that's easier said that done these days, when many companies have far to many files to simply whip onto a portable hard drive.
Why has there been an upsurge in ransomware?
Cert NZ tracked a 65 per cent increase in cyber-attacks over 2020, compared to 2019, with ransomware one of the growth categories as companies like Toll Group, Lion and Fisher & Paykel Appliances got hit. AUT computer science professor Dave Parry said the upsurge could be pinned, in part, on Covid. The pandemic saw staff scatter to homes, where they often worked on dated or otherwise insecure computers, opening security gaps.
At the same time, lockdowns meant that organised crime gangs in Eastern Europe were losing a lot of their opportunities for real-world shakedowns, so turned to online extortion to help fill the gap. It proved successful, fuelling more online crime.
Why do attackers so often seem to come from Eastern Europe
Parry says Eastern European and former Soviet Union states have a ransomware gang-friendly mix of "weaker legal framework, lots of very good mathematicians and large-scale organised crime".
Do organisations pay up?
Yes. Many. Ciaran Martin, the former head of the National Cyber Security Centre, the British government's cybersecurity agency, said: "There are three problems contributing to the ransomware crisis. One is Russia sheltering organised crime. A second is weak cybersecurity in too many places. But the third, and most corrosive, problem is that the business model works spectacularly for the criminals."
A laundry-list of corporates have forked over cash to the crims.
Earlier this month, the CEO of Colonial Pipeline - which supplies around 45 per cent of the fuel to the East Coast of the US - admitted his company had paid US$4.4 million to ransomware attackers to regain control of its systems, and re-start the flow of gasoline to thousands of service stations drained by panic-buying.
In July 2020, it was reported that Garmin - the multinational maker of fitness trackers for gym junkies and avionics systems for small planes - reportedly paid a US$10m ransom.
The same month, Blackbaud - a Nasdaq-listed company that stores donor files for non-profits - said in a market filing that it had paid an undisclosed ransom for the return of files (which included those it was managing for Auckland and Otago universities).
Earlier in the year, Air New Zealand foreign exchange partner TravelEx reportedly paid a US$2.3m ransom (Air NZ said none of it customer files were exposed in the attack).
And German chemical company Brenntag reportedly paid a US4.4m ransom after its systems were compromised earlier this month. The list goes on.
Bitcoin critics say that's just another reason governments should regulate digital currencies.
Why are payments always in bitcoin?
Because cryptocurrency is an easy mechanism for untraceable payments to anonymous parties. (Ransom notes typically demand an amount framed in US dollars - the better to make easily comprehensible, and to avoid the wild swings in bitcoin valuation, along with instructions in how to pay in cryptocurrency.) Theoretically, Bitcoin is totally transparent, with the path of money from digital wallet to digital wallet available for everyone to see. But the reality is you never see anyone named as the recipient of a ransom - for the technology also makes it easy to disperse a large payment over many accounts, and cyber thieves use 'tumblers' to mix stolen bitcoin with legitimately-acquired digital currency; a crypto-laundering process that again makes it very hard to track payments.
The Government has backed Waikato DHB CEO Kevin Snee, who says his organisation won't pay up - despite the attackers having proved they have patient files in their possession, and a reported threat to attack the 19 other DHBs if the ransom demand is not met.
Police say that's the right stance. If you pay up, there's no guarantee you'll regain access to your files and, more, that paying a ransom only incentivises more offending.
What's the best way to stop the ransomware wave?
Brett Callow, a threat analyst with Emsisoft - a Nelson-based company that offers anti-ransomware tools - says there's one clear way to stop the attacks.
"The most effective way for the New Zealand Government or, for that matter, any government, to combat cyberattacks would be to prohibit the payment of ransoms," he says.
"Cybercriminals are now in a ransom-fuelled feeding frenzy and the easiest and quickest way to stop their attacks is to cut off the cash.
"While prohibition is a very blunt instrument that would undoubtedly cause some short-term pain, I've seen no other solutions recommended that would realistically bring this steadily worsening problem under control - at least, not quickly."
Many pundits agree, including Herald technology columnist Juha Saarinen.
So will our Govt make it illegal to pay a ransom?
No.
Soon after the Waikato DHB attack, Justice Minister Kris Faafoi said he was "not considering making it an offence to pay a ransom or facilitate payment of a ransom in the event of a ransomware attack".
Why not?
"While the Government understands that making payments may be perceived to encourage further attacks, criminalising the victim of a ransomware demand raises issues of fairness about making a victim a criminal if they are trying to protect their business and livelihood - and, possibly, essential infrastructure - by making such a payment," Faafoi said.
Officials were monitoring the situation, Faafoi said, and there would be an assessment of the effectiveness of any law changes offshore.
If an organisation pays a ransom, is that the end of it?
Often not. Brian Honan, the head of Ireland's Cert, told the Herald payment of ransom could mean an organisation regained control of its files - but also that the attackers will inevitably have made copies they can sell to other criminals, or use to blackmail individuals.
Honan speaks from direct experience. Ireland is currently grappling with an attack on its national health service that began on May 14 - which has seen at least 27 patient records spilled online.
And Honan points out a ransomware attack on a chain of psychological counselling clinics in Finland in October 2020 resulted in patients being emailed threats that their therapy notes would be published online if they didn't pay €500 within 48 hours. Around 30 paid up. Another 100 - including politicians and celebrities - had embarrassing details spilled onto the public internet.
Waikato DHB - after last weekend saying there was a low chance of stolen files - now acknowledges example records sent to media are genuine. It is offering counselling for those affected.
The GCSB has our backs, right?
The GCSB's remit includes keeping the state sector and some 250 (un-named) organisations, including key exporters, safe from hackers - and the spy agency's National Cyber Security Centre (NCSC) unit has duly been dispatched to help the Waikato DHB, just as last year it helped the NZX and the Reserve Bank recover from cyberattacks.
The GCSB's core defence is a system called Cortex, which was first deployed in 2011 and described by former Prime Minister John Key as a "Norton AntiVirus at a very high level", wrapping protection around NZ.
But an ex-GCSB staffer told the Herald that Cortex is now getting "long in the tooth."
He saw the agency struggling for skilled staff as corporate New Zealand, newly attuned to cyber threats, poached its employees.
And he also saw the Crown anti-hacking effort undermined by a fragmented, multi-agency approach.
NetSafe chief executive Martin Cocker recently took a similar line, telling the Herald: "We have a lot of agencies doing a lot of stuff; a lot of good stuff, but one of them needs to take a lead role."
Is Cortex long in the tooth?
On the long-in-the-tooth allegation, a GCSB spokesman said, "Cortex is a suite malware detection and disruption capabilities that is deployed to a subset of nationally significant organisations, and it is not a substitute for the information security measures every organisation needs to take.
"Like any technology tools, our cyber defence capabilities need to be constantly refreshed and updated to ensure they remain fit for purpose. While we are still achieving good effect from our capabilities, we have a work programme and funding in place to extend their useful life."
He also pointed the Herald to the agency's 2020 annual report, which states that "the detection and disruption of malicious cyber activity by Cortex capabilities has prevented $70.5m worth of harm to New Zealand's nationally significant organisations".
That's an increase from the $27.7m in harm the agency said it saved in the prior year.
The spokesman would not elaborate on how the agency totalled its harm-prevention figures.
Its NCSC unit recorded 353 incidents in the year to June 30, 2020.
In its 2019 report, it recorded 339 incidents. As in 2020, just under one third "had links to known state-sponsored actors" - implying the balance was down to organised crime.
What's up with Australia's war-footing against cyber-threats?
Last June, Australian Prime Minister Scott Morrison announced a A$1.35 billion ($1.4b) boost for efforts to defend the country's public and private networks against hackers.
The new funding included A$470m to create 500 new jobs within the Australian Signals Directorate, the agency responsible for repelling cyber-attacks. That will take its total staff to around 2500.
How does it compare to NZ?
The Australian response was admittedly driven by a fear of alleged hacking by a state actor - China - as much as ransomware and other organised crime efforts.
But nevertheless, when it comes to increases in spending, Australia vs NZ is a case of billions vs millions.
Cert NZ was set up in 2016 (under the National-led Government of the time) as a "cyber-attack triage unit" with a $22.2m budget. That was increased by $9.3m over four years in Budget 2019.
Budget 2019 also marked $8m over the next four years "to help implement Cyber Security Strategy."
Budget 2020 included a $146m increase over four years for the intelligence agencies. That is, the domestic-focused NZSIS and the GCSB. As the larger agency, the GCSB got $100m of funding, or $25m a year more over four years. Part of that new funding will be used for cyber-security initiatives, but a spokesman for the spy agency would not say how much, citing security concerns (for the same reason, the GCSB will not say how many of its 500-odd staff work for the NCSC.)
Despite the spat of recent high-profile attacks, and the sense of urgency across the Tasman, Budget 2021 featured no cyber-security initiatives.
Are NZ cybercops envious of their Aussie counterparts?
Yup, at least one top cop. At a Trans-Tasman Business Circle lunch, on the heels of last year's attack of the NZX, Brad Marden, Superintendent Cybercrime for the Australian Federal Police, detailed a setup where national security, police who tackle hacking offences and cybercrime policymakers are all literally under one roof.
"I'm envious of what Brad's talking about in terms of them all being in one building. We do that really well in a different way - but there's some improvement to be made," said the next speaker, NZ Police Acting Assistant Commissioner Mike Johnson.
"We've got to be a bit more dynamic, and partner more with business," Johnson continued.
"Often we're mitigating an attack in its own right - but we really need to get ahead of that to be proactive and get people to invest in protection."
Are directors on the hook if a company gets hacked?
Yes. Forget about blaming the geeks in IT for not doing their job.
"While directors do not have any specific legal obligation to lessen cyber threats or mitigate the impact of a cyber attack, cyber risk is no different to other areas of risk faced by organisations," Bell Gully partner Tania Goatley says.
"Directors owe a broad duty to exercise the care, diligence and skill that a reasonable director would exercise in the circumstances. So they need to understand the specific cyber risks, determine cyber risk appetite, and take appropriate actions to deal with the risks. "
Regulators like the Financial Markets Authority have made it clear that boards are ultimately responsible for overseeing cybersecurity, the legal expert says.
"Failure to acknowledge or property engage with cybersecurity issues may become relevant to directors' duties under specific legislation such as the Financial Markets Conduct Act or the Health and Safety at Work Act. Under the Privacy Act 2020, any organisation that holds personal information must ensure it is protected by reasonable safeguards to protect against these sorts of cyber-attacks."
Can I try to keep it under wraps if my company loses files to hackers?
Not any more. The December 2020 update to the Privacy Act introduced mandatory data breach disclosure. If customer files get stolen, hijacked by ransomware thieves or simply lost or emailed to the wrong person, you're required to let affected people - and the Privacy Commissioner - as soon as possible if there's a risk of "serious harm" (the Privacy Commissioner's website has an interactive tool called 'NotifyUs' to help you determined if you've crossed the threshold.
Where should I turn if I'm hit by ransomware?
Cert NZ will put you in touch with right law-enforcement contacts, and offer advice about where to turn for help.
How do I get my defences up to snuff?
Multiple Crown agencies offer advice on getting your computer system in shape, including the police, NetSafe, Cert NZ and the GCSB.
The mantras include keeping all of your systems up to date - not just your security software; using unique, hard to crack passwords for every service; constantly educating staff on good security hygiene, including a deep suspicion of all email attachments and links to unfamiliar websites, and including a range of backups - including some files safely offline.
But Honan says the most important point is to assume that one day you'll be hit. That means checking your backups actually work, and wargaming how you would make contact with customers and partners.
"Regularly testing your restore procedures, running exercises which simulate a ransomware attack, and also including ransomware attacks as part of your business continuity planning," the Dublin-based security expert says.
Was there a canary in the coalmine
Yup. The Government and district health boards were warned last year the country's health IT systems are vulnerable to "significant" cyber threats.
An IT stocktake for the Ministry of Health found the IT systems lacked "tools to detect security attacks".
(Similarly, a May 2020 inhouse report warned the Reserve Bank that it had under-resourced and underfunded security, and that it should upgrade from an outdated file-sharing service. In December 2020, that third-party file-sharing service was breached, exposing RBNZ files)
"Given all the information available last year, the Minister of Health should have intervened in any DHB that did not have adequate cybersecurity protection to protect patients and the health system," security expert Daniel Ayers says.
He notes while the Government did intervene to straighten out the Waikato DHB, it was over financial mismanagement rather than any security issue.
Another security expert, ex-RAF and UK Department of Defence adviser Jeremy Jones (now with Theta in NZ) says the fragmented nature of our 20 DHB's and their 120-odd different IT systems makes it difficult for the Ministry of Health to exercise any real influence of their security policy.
Here, something is happening, if not for cyber defence reasons per se. Budget 2021 included $230m operating spending and $170m capital spending over the next four years for a new, centralised IT system as the 20 DHBs are merged into a single national health agency.
Why target hospitals?
Over the past year, hundreds of health providers around the world have suffered ransomware attacks.
Why are they such an attractive target?
With lives at risk, hospitals are under more urgent pressure than most organisations to pay up.
Private providers can be juicy targets.
"And in a case like the Waikato DHB, the attackers will be hyper-aware that a government-backed organisation providing critical healthcare can only be down for so long. They know the pressure is mounting publicly and that is an incentive to pay up. It's all part of a very well-rehearsed plan,' NortonLifeLock's Mark Gorrie says.
And Theta's Jones adds there's the added appeal - from a criminal's perspective - that individual patients can be extorted if they have sensitive or embarrassing records.
Is there a simple step we can take as a nation?
The Waikato DHB attack spurred Health Minister Andrew Little to call a meeting of top government officials, known as Odesec (for Officials' Committee for Domestic and External Security Co-ordination) on May 26, eight days after the initial attack.
It coincided with the Privacy Commissioner warning all district health boards to urgently fix their IT vulnerabilities amid what has become the country's biggest-ever cyber attack.
Ayers welcomed that politicians were finally acknowledging the situation was a national crisis, but was also suspicious the reviews of DHB systems would turn into a delaying tactic, with results withheld until the public's attention had turned elsewhere.
Ayers said the GCSB had an excellent online guide to beating cyberattacks, but questioned if the agency, and the Government as a whole, was doing enough to publicise it. There was little public education over cyber-risks.
"Even now, Little could come out and say 'Here's the advice we developed last year on how to protect against ransomware. Everyone in NZ must follow it'. Why doesn't he do that? Could it be politically inconvenient to do that, which would highlight the failings of Waikato DHB in which the ministry intervened?"
What happened to the plan for a cyber-czar?
In 2018, there was an attempt to take things by the scruff of the neck.
Then Communications Minister Clare Curran sought to cut across the alphabet soup of digital titles and agencies in security and other IT areas by appointing a digital czar or chief technology officer with sweeping powers to shape strategy in cybersecurity and other areas.
That effort fell on its face as appointee Derek Handley was handed a $107,500 payout as the Government had a last-minute rethink.
After Curran was shuffled off stage left, it was ultimately decided the CTO role should be replaced by a "Digital Council" of lowish-profile IT industry figures who were appointed in February 2020 without fanfare.
The council has put out some reports summarising the work of other agencies, and encouraged the Government to do better in areas such as closing the digital divide - where we saw a brief burst of energy during the first lockdown before it petered out as children returned to school.
But government agencies, DHBs, schools, councils and other government agencies continue to take different approaches to security and other IT issues, depending on area, wealth and whim.