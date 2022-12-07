Ironically, word of the attack on Mercury IT broke in the same week that an independent inquiry into last year’s attack on Waikato DHB (above) wrapped up.

ANALYSIS: People should probably assume the worst about the ransomware attack that impacted customers of Wellington information technology firm company Mercury IT.

The biggest concern at this stage appears to be that the attack “affected access” to approximately 14,500 coronial files belonging to the Ministry of Justice, including about 4000 post-mortem reports, and a variety of information held by organisations that provide services to Te Whatu Ora, Health NZ.

Te Whatu Ora is the body that took over the management all health services, including hospital and specialist services and primary care, following the dissolution of the country’s 20 DHBs in July, so is arguably the country’s juiciest ransomware target.

Brett Callow, a threat analyst at cybersecurity firm Emsisoft and a leading international expert on ransomware, says ransomware gangs love managed services providers [MSPs] such as Mercury IT.

“If they can compromise an MSP, they can likely get to their clients so, instead of having a single victim as they usually would, they have multiple victims. Or, to put it another way, multiple chances to extort money.”

By “affecting access” to files, what the Ministry of Justice probably means is that those files can’t be accessed.

DAVID WHITE/STUFF PM Jacinda Ardern explains the country's top national security concerns, including “anti-authority” extremism, disinformation and cyber attacks.

It is safe to assume that if it is ‘good’ ransomware, those files will have been encrypted into gobbledegook and only the attackers hold the digital key needed to unlock and make sense of what they contain.

Unfortunately, it is very likely to be the case that the attackers copied the data that they wanted before locking access to the files.

They will then typically demand a ransom, both to supply the digital key that the impacted organisations will need to get back access to their files, and in return for not dumping the sensitive information they have stolen online.

The Ministry of Justice stated on Tuesday that there was “no evidence at this stage” that the data had been taken but said it couldn’t “rule that out”.

In reality, it is only to be expected.

Waikato DHB also initially stated on May 24 last year that it had “no evidence” that any of its patient data had been stolen from it in the wake of the ransomware attack on the DHB.

But, unsurprisingly, it transpired that it had been.

It is standard practice for ransomware attackers, after they compromise an organisation’s IT system to root around and take what data they want, before only then encrypting the organisation’s computer files thereby making them aware of the attack.

Callow says about three-quarters of all ransomware incidents involve “data exfiltration”.

“So, statistically speaking, it’s quite likely that data was stolen in this case.

“And if information was indeed stolen, the hackers will likely be using the threat of releasing it as leverage to extort payment from Mercury and/or its clients.”

It is just possible that some of the private-sector organisations that have fallen victim to the Mercury IT attack might be tempted to pay a ransom, even though that is unethical because it only helps fund and encourage more attacks on other victims.

But government statements would appear to preclude public-sector organisations from paying such ransoms.

So it is quite likely data stolen from the Ministry of Justice and Te Whatu Ora’s contractors will eventually be dumped online, perhaps in tranches, once the attackers play their last card and then give up on collecting payment.

The big unknown at this point is how far the ransomware may have spread through the network of organisations served by Mercury IT and how many will still have access to uncompromised electronic back-ups or paper back-ups that they may need to return to business as usual.

The National Cyber Security Centre (NCSC) is coordinating the response to the ransomware attack, but can be expected to provide no information itself about exactly what has been stolen, the status of any back-ups, or whether ransom demands have been received and what they contain.

It will also be advising the victims of the attack to keep as tight a lid as reasonable on what they disclose.

Its view will be that information about the consequences of the attack will only help the criminals behind it.

A spokesperson for the NCSC explains “we are very conscious that information in the public domain about the response can inform the actions of malicious actors”.

Hopefully though, it will be able to confirm in due course that no ransoms were paid by the public sector victims, as it is in everyone’s interests to get the message out there that attackers targeting New Zealand organisations will go away empty-handed.

The Australian government lost patience with ransomware attacks last month following a breach of the country’s biggest health insurer, Medibank Private.

Its Home Affairs Minister Clare O'Neil announced the Australian government would consider making the payment of ransoms to cyber hackers illegal.

New Zealand government ministers have been asked numerous times over the past few years if they might consider taking the same step.

Up to now, the answer has been ‘no’, or at least ‘not yet’, but with ransomware attacks becoming ever more frequent and the consequences more serious, that would seem to be the way the wind is blowing.