Nelson-based Emsisoft's decryption tool is being used by Ireland's healthcare system in its efforts to restore files after a ransomware attack that hit on May 14 - earning it a namechecks in the Irish Times and a nod from the head of the country's CERT (Computer Emergency Response Team) Brian Honan.
But it is being ignored at home, despite saying it has an even chance of restoring the Waikato DHB's files.
Emsisoft threat analyst Brett Callow says he understands the Waikato DHB attackers used "Zeppelin" ransomware - which his company's decryption tool would have a 50:50 chance of rescuing the health services' files.
But Emisoft chief technology officer Fabian Wosar tells the Herald his company offered to help the Waikato DHB, too - but that it simply hasn't heard back.
If the DHB does take up Emsisoft's offer, Callow says it could decrypt each of its servers locked by the hackers in about 24 hours. But it was not easy to decrypt multiple servers at once (and there are 680 servers hit) because each is locked by a unique key. However, the process could be greatly speeded by assistance from a cloud computing partner such as Amazon Web Services (AWS).
A spokesman for the DHB had no immediate comment on Emsisoft's offer in particular but said there would be no comment on which parties were pitching in while the attack was ongoing. He said several private companies were involved in recovery efforts, as well as the GCSB's National Cyber Security Centre. "Multiple" offers of assistance had been received.
For Callow, it was good news, of sorts, to learn that Zeppelin had been used to cripple the Waikato DHB's systems, because - unlike some ransomware - some versions had flaws that were relatively easy to exploit for decryption
The threat analyst said his company's decryption tool had two users: decrypting servers locked by ransomware, or where hackers had supplied a decryption tool (usually after a ransom was paid) helping to speed the process. Decryption tools supplied by hackers are often slow and buggy, Callow said. It was typical for an organisation to use one or more third-party decryption tools, such as the one made by his company, to boost their efforts to restore their data.
Emsisoft's Wosar was philosophical about the Waikato DHB's snub, putting it down to post-attack confusion.
"As you can imagine, ransomware breaches are somewhat chaotic. There are often a lot of external contractors involved, insurances, lawyers, law enforcement, regulatory and public agencies, and obviously the victim. It's not always easy to pierce through all that noise and get to the key decision-makers we need to reach, since their attention is often occupied by all the general chaos and triaging going on," he told the Herald.
Emsisoft is registered in New Zealand and owned by its founder, Christian Mairoll - an Austrian expat who relocated to a lifestyle block in 2014. Today the company employes 40 staff across 20 companies, all working from home.
Yesterday, after a group purporting to be the attackers sent patient files to media outlets, top government officials held crisis talks as a meeting of the Officials Committee for Domestic and External Security Co-ordination.
Afterwards, Health Minister Andrew Little said he had sought assurances from other DHBs that their cyber-defences were up-to-date.
Privacy Commissioner John Edwards also warned all District Health Boards to urgently fix their IT vulnerabilities amid what has become the country's biggest-ever cyber attack.
However, security experts like Theta's Jeremy Jones are questioning the degree of knowledge that DHBs have about ransomware. On the weekend, Waikato DHB CEO Kevin Snee told media there was a low chance that patient records had been stolen by the hackers - only to have the hackers email media outlets with multiple examples of stolen files.
Recovering files, control of systems only half the battle
Earlier, the Dublin-based Honan told the Herald that unfortunately, the Waikato DHB decrypting its files and regaining control of its systems was only half the problem.
Going by multiple overseas examples, it was almost certain the hackers have made copies of all stolen files - leaving open the possibility of a future extortion attempt against the DHB. It was also possible the hackers would email individual patients - as happened recently in Finland - demanding amounts in the hundreds of dollars to prevent embarrassing treatment details being spilled on the public internet.
The Waikato DHB, having finally acknowledged that patient records email to media by the hackers are genuine, now says it will approch affected individuals and offer counselling or guidance.
It was also revealed yesterday that a 2020 stocktake of the country's health systems found them vulnerable to "significant" cyberattacks - mirroring a Reserve Bank report that of May the same year that found the institution's security system's underfunded and out-of-date, only for the RBNZ to stick with criticised file sharing service that was breached six months later.