Stolen NZ data listed for sale on dark web

Multiple New Zealand businesses caught in a large-scale ransomware attack have had their data listed for sale on the dark web.

The businesses were all customers of Wellington information technology firm Mercury IT, itself the victim of a ransomware attack understood to be by a cybercriminal gang known as Lockbit.

Health insurer Accuro, architecture firm Catalyst Group, business mentoring programme Business Central, commercial flooring business Polyflor, and Mercury IT itself all have had data listed for sale on the dark web for prices between US $99,000 (NZ$157,000) and US $999,999.

Mercury IT also performed contract work for Te Whatu Ora and Health NZ. The attack is said to involve 14,500 coronial files and 4000 post-mortem reports from those organisations, but so far this information has not been listed on the dark web.

Brett Callow, a threat analyst at cybersecurity firm Emsisoft and a leading international expert on ransomware, said it was hard to describe how big this incident was for New Zealand security.

“This is possibly the most significant cybersecurity incident New Zealand has had. I can’t think of any other incident that has simultaneously affected so many organisations,” Callow said.

Most ransomware attacks in New Zealand focused on stealing or compromising the data of a single company, but this attack had targetted Mercury IT, a managed service provider that worked with multiple businesses.

“Because of this, the attacker has managed to amass multiple victims from the same attack,” Callow said.

Brett Callow, a leading international expert on ransomware says the attack 'is possibly the most significant cybersecurity incident New Zealand has had’. — 123rf

Brett Callow, a leading international expert on ransomware says the attack ‘is possibly the most significant cybersecurity incident New Zealand has had’.

The group behind the attack, a ransomware gang called Lockbit, were formed in 2019 and is thought to be based in Russia or in Eastern Europe.

The group often operated as ransomware as a service, meaning people could hire the group to commit attacks anywhere in the world. Recently a Canadian resident had been arrested in relation to a Lockbit attack, he said.

“Because of this, these attacks can often originate much closer to home than people may initially think,” Callow said.

The fact that the data has been listed for sale on the dark web meant Lockbit had moved to the second part of its plan, making money from the stolen data, he said.

“Lockbit do two things here. Firstly they offer to destroy the stolen data if the victims pay, whether they do or not is highly debatable. And two, if the victim won’t pay they offer up the data to any third party, that wishes to purchase it,” he said.

If a company refused to pay, ransomware groups would often leak sensitive data obtained in the attack online, such as was seen in the attack against the Manukau DHB.

Accuro Health Insurance chief executive Lance Walker confirmed the attackers had disclosed information stolen from the business online.

“We are assessing the data to determine who the information belongs to and taking steps to have the disclosed information removed where possible,” Walker said.

If the business found leaked information about customers or employees it was prepared to work swiftly to help the affected people protect their information from misuse, he said.

Last week the High Court ordered anyone who may have received hacked health data or coronial inquest files to immediately delete them.

The order was an attempt to stop the data hacked in the Mercury IT attack from being accessed by New Zealanders.

Callow said the order might stop everyday New Zealanders from accessing the files but would do little to deter criminals.

“It is unlikely to prevent cyber criminals doing what they will with the data, nor is it likely to prevent anyone who wants to acquire the data for criminal purposes,” he said.

The National Cyber Security Centre (NCSC) was coordinating the response to the ransomware attack, and was advising the victims of the attack to keep as tight a lid as reasonable on what they disclosed.

Its view was that information about the consequences of the attack would help the criminals behind it.

Cert NZ incident response manager Jordan Heersping said ransomware was one of the more destructive and stressful cyber incidents that could affect a business.

“Like the old saying, the best offence is a good defence. There are steps you can take to protect yourself from these attacks and ensure that if you are targeted you can quickly get back up and running with as little damage as possible,” Heerspring said.

While no single tool could by itself prevent a ransomware attack, a suite of controls and security steps could help keep businesses secure, he said.

Business owners should look to the Cert NZ website for more information on how to protect themselves from malicious attacks, he said.