The ransomware gang that hacked F&P Appliances has posted sensitive files from the whiteware giant on to the internet.
Brett Callow, a threat-assessment analyst with anti-virus and anti-malware company Emsisoft, said the files were posted overnight to the dark web - a section of the internet that is not searchable, but known to hackers, traders in illicit goods and people in the security community.
Callow says the files included an expenditure vs budget spreadsheet and a China Business Unit Report presentation, both dated January 2020 and a China Manufacturing Review spreadsheet dated March 2020. All are all multi-page and densely packed with financial data and various metrics.
• Toll says data stolen in second ransomware attack within months
• Air NZ service provider Travelex held to ransom by hackers demanding $8.5m
• Cyber attack at Lion brewery disrupts supply of beer
• F&P Appliances latest to be hit by ransomware attack
Today, the Auckland-based F&P Appliances (which is owned by China's Haier and totally separate from the NZX-listed F&P Healthcare), had no comment on if a ransom had been demanded or, if so, whether it had any intention of paying up.
Ransomware demands to corporates typically run to millions. Hackers tried to extort $8.5 million from UK-based TravelEx early this year for the return of stolen data (the company refused).
Callow said things could get worse for F&P Appliances.
Ransomware gangs typically post stolen data in instalments to gradually ramp up the pressure on the company to pay a ransom and stop further data being made public.
"In other cases, it's been posted in as many as eight instalments," he said.
"Generally speaking, groups start by publishing the less sensitive data first.
"Were they to publish the most sensitive documents, the company would have less incentive to pay to prevent the remaining data being released."
Yesterday, after an anonymous tip-off, the Herald approached F&P Appliances to ask if it had been hit by ransomware.
F&P Appliances spokesman Andrew Luxmore said, "Early last week, Fisher & Paykel experienced a cyber-attack which has impacted our manufacturing and distribution.
"Nefilim" ransomware - or the same used in the recent Toll Group attack - was employed by the hackers.
"The attempt was identified quickly and, as a result, we locked down our IT ecosystem immediately. We are currently working with third-party experts to restore our systems and our ability to take and fulfil orders, as well as introducing additional security measures," Luxmore said.
"We are one of many businesses that have been the subject of a global cyber-attack in recent months, and we are working closely with other businesses to understand how we can better protect ourselves from this type of criminal activity."
F&P Appliances joins several high-profile targets over recent months, including Toll Group, which has suffered two major attacks, BlueScope Steel and an attack on Honda's global operations today which some commentators say bears the hallmarks of a ransomware attack.
Callow had also found files from Toll on the dark web.
Lion was hit by a major cyber-attack on Monday, but could not immediately confirm if it involved ransomware.
Peter Bailey, GM of local security outfit Aura, said ransomware gangs were exploiting the Covid-19 outbreak. His firm was seeing a lot of phishing emails that purported to be information about coronavirus but actually hosted links to ransomware.
"What makes these incidents particularly bad is that the data, which often relates to companies' customers and business partners, is posted online where it can be easily accessed and misused by other criminals," Callow said.
"Consequently, the individuals and businesses whose information was compromised face a very real risk of identity theft, spear-phishing and other forms of fraud.
"For example, in a previous incident, the patients of a plastic surgeon were threatened with the release of their before-and-after photos unless they paid."
What to do if you're hit by ransomware
New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.
CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.
CERT director Rob Pope and police both advise against paying up on a ransomware demand, even if the sum involved is modest.
They say there is no guarantee that data will be returned, or unlocked. They also caution that while paying a small ransom can be convenient, the money can help fund Eastern European gangs who are also involved in the likes of drug and human trafficking.
New Zealand's Privacy Act has no requirement for organisations to report a data breach to authorities or customers, but a revamp of the legislation, currently before Parliament includes mandatory disclosure provisions.