Image / 123RF

A gang called LockBit has posted a series time-pressure demands for money on the dark web, claiming to have files from clients to Wellington-based IT provider Mercury IT - which was hit by a ransomware attack in late November, according to the Privacy Commissioner.

The attack compromised data from Mercury IT clients including contractors to Health NZ, some 14,500 coronial files and 4000 post-mortem reports according to the Ministry of Justice, the NZ Nurses Association (which represents 55,000 healthcare workers), BusinessNZ, the Wellington Chamber of Commerce and the affiliated Business Central, and some 30,000 customers of Wellington-based private health insurer Accuro.

LockBit is demanding US$999,999 ($1.54 million) within 24 hours for files it says it has from Mercury IT (as of 4am this morning, the gang’s counter had less than 20 hours left), according to Brett Callow, threat assessment analyst with Emsisoft - an NZ-based firm helping organisations grapple with ransomware attacks.

The gang was also demanding US$999,999 ($1.5m) for files from Mercury IT, US$199,999 for files from Business Central and US$99,999 for files from Accuro.

The Herald understands other organisations caught in the attack are also being shaken down.

It does not necessarily meant files from Mercury IT clients will be released onto the dark web if the firm (or clients) fail to cough up with 24 hours.

Callow explains that LockBit’s modus operandi is to offer stolen files to all comers.

Mercury IT could pay US$999,999 to regain access to its files, with LockBit - supposedly - destroying any copies.

If another party - such as a cyber fraud or blackmail outfit - pays the US$999,999 before Mercury, then it gets the files. But if no party pays the sum, then the countdown clock can be restarted.

LockBit also offers victims the chance to pay a smaller sum to extend the deadline by another 24 hours, or another week.

The GCSB’s National Cyber Security Centre is leading a multi-agency investigation of the Mercury IT breach.

High Court order

The Herald is seeking comment from organisations invloved in the late November hack - but there has already been a sign Government agencies are aware of any immediate risk of files being spilled into the public domain.

Earlier this week a High Court judge issued a blanket order compelling anyone who may have received hacked health data or coronial inquest files to immediately delete them.

The order by Justice Christine Grice said anyone who received the files or who may receive the files in the future cannot access, look through or filter the records in any way.

Callow said he did not seek to access any “taster” files offered by LockBit, mindful of a court order.

In a December 14 statement, Accuro said while some of its data was downloaded in the attack on Mercury IT, “At this stage we have not identified any personal or member information in the downloaded dataset, but we cannot rule out this possibility.”

Like others caught in the attack - and Mercury IT itself - Accuro has refused to say if ransomware is involved, let alone confirm or deny if negotiations are under way to get data back.

Privacy Commissioner leans toward change

Emsisoft’s Callow is among those who have suggested circuit-breaker moves to stop the relentless waves of ransomware, including making it illegal to pay a ransom.

On October 22, Kordia chief information security officer Hiliary Walton (who has since decamped to Microsoft) pointed cross the Tasman, where Australia’s privacy legislation allows for a fine of up to A$2.2m - and even possible jail time for executives involved - for a health data breach. New legislation raises the maximum fine to up to A$50m. The tightening follows major data breaches at Optus and health insurer Medibank.

Last week, new Privacy Commissioner Michael Webster said NZ should consider raising its current penalty of $10,000.

Webster’s predecessor, John Edwards, proposed $1m fines with a 2020 revamp of the Privacy Act, but the idea was knocked back by the Government.

The new Privacy Commissioner said last Tuesday: “I am certainly very interested in looking at the role that a financial penalty regime consistent with New Zealand consumer law could have, in terms of punishing people for poor management of people’s personal data.”

Webster added: “These regimes exist in many other jurisdictions.”

The Government has so far resisted change, however.

On making it illegal to pay a cyber ransom, Justice Minister Kiri Allan told the Herald: “While the Government understands making payments for cyber ransoms may be perceived as encouraging further attacks, taking criminal action against the victim raises issues of fairness in regard to making a victim a criminal when they are attempting to protect their business and livelihoods by making the payment.

“As such, there aren’t any current plans to criminalise those who pay cyber ransoms,” Allan added.

And on fines for firms that lose data to thieves because of poor levels of protection, Allan said: “Penalising those who fail to take sufficient steps to protect their data with substantial fines is not currently a priority for me as Justice Minister.”