You've read about recent high-profile ransomware attacks - where files were stolen or encrypted by criminal gangs, who demand money for the files' return. But what do they cost NZ, and how can they be stopped? Answers are beginning to emerge.
Rob Pope, director of Crown agency Cert NZ (the Computer Emergency Response Team) and police both advise against paying up on a ransomware demand, even if the sum involved is modest.
• Lion ransomware attack: Speights back, but supply problems continue for other beers
• Hackers post sensitive F&P Appliances files to the dark web
• Toll says data stolen in second ransomware attack within months
• Air NZ service provider Travelex held to ransom by hackers demanding $8.5m
They say there is no guarantee that data will be returned, or unlocked. Or the thieves might simply take a copy, and use elements of that to blackmail you anyway.
They also caution that while paying a small ransom can be convenient, the money can help fund Eastern European gangs who are also involved in the likes of drug and human trafficking.
But the pressure can be intense - especially when ransomware gangs start to drip-feed bits of your sensitive data on to the web, as is happening right now in a pressure tactic against Fisher & Paykel Appliances.
Local security company Emsisoft says some 33 per cent of companies hit by ransomware pay up, and that the average demand is US$84,000 (NZ$130,000).
But within that, there is a wide range, with individuals and small businesses often asked for as little as $1500, as a wide net of automated attacks is cast for small fish, while ransomware hackers often try to extort millions from corporate targets through more carefully-crafted individual attacks. For example, the unsuccessful attempt to extort $8.5m from Air NZ foreign exchange partner Travelex over January and February.
But the main costs are incurred by companies which choose not to pay, and spend days or weeks painstakingly restoring their systems, and using expensive, time-consuming manual workarounds in the interim.
Using a conservative downtime cost of US$10,000 a day Emsisoft estimates ransomware attacks have cost New Zealand organisations US$25.9m this year.
Emsisoft runs a free tool called Ransomware ID. You upload an encrypted file, then the service tells you what ransomware was used to encrypt it, and whether it can be decrypted by a tool from Emsisoft or another security company.
Ransomware ID has been used some 3.5 million times, and the company guesstimate accounts for one in every four ransomware attacks, giving a broad feel for the number of organisations that get compromised. Still, Emsisoft threat analyst Brett Callow admits it's still taking something of a shot in the dark, due to the dearth of data (right now, there's no legal requirement for organisations to tell authorities about a breach, although that will change with the Privacy Bill currently making its way through Parliament). The only thing it can be sure of is that the problem is large and growing.
For context, a weighted Harris Poll of 1009 New Zealanders for NortonLifeLock found that cyber attacks, including ransomware, cost NZ $108m last year as cyber crime increases 33 per cent over the prior year.
What is to be done?
First, there are the basics: any expert will tell you that you need to have anti-virus, anti-malware software in your organisation, plus hardware or software firewalls; you need to keep all of your software (not just security software) up-to-date with the latest patches and you have to backup regularly, and regularly check that your backups work.
1. A 'cold' backup
Beyond that, Cert NZ says a key defence against ransomware is to do a "cold" backup.
Most organisations will copy their files to one or more cloud backup services. But if your passwords are compromised, those online backups can be too.
A cold backup involves the manual, old-world method of copying files to a portable hard drive, then physically moving that hard drive to somewhere off your premises.
2. A culture of suspicion
NortonLifeLock security expert Dean Williams gives a cold backup the tick, but emphasises "it's just one piece of the puzzle".
Another is to have the right culture in your organisation - and that's one where people are highly on-guard and not afraid to highlight a suspicious email.
"If you're not confident a message is real, call it out," Williams says.
Ransomware gangs tend to take their time stalking a large corporate target, and often carefully customise attacks.
"A phishing email can be crafted to the point where it's very hard to identify as a fake," he says.
You've got to educate your staff to be on the lookout for phishing attacks, such as an invoicing scam, Williams says.
At Herald publisher NZME, an award-winning awareness campaign took in everything from a "Phishing" button added to Outlook to posters on the back of toilet doors. It led to an 80 per cent increase in staff reporting suspicious emails.
• NZME anti-phishing campaign among iSANZ winners
Aura Infosec GM Peter Bailey says his organisation is seeing an increase in scam emails related to the pandemic as confusion around rapidly changing office and home office setups opens a rich vein of confusion for exploitation. So be particularly wary of any communications about Covid-19. Your standbys are to report suspicious email to your IT department or to give the apparent source of an email an old fashioned telephone call.
You've also got to tell your staff, and friends and family, not to:
• visit unsafe or suspicious websites
• open emails or files from someone you don't know
• click on malicious links in social media, like Facebook posts. Be especially suspicious of purported surveys, coupons and tests
Cert NZ deputy director Declan Ingram says another good rule of thumb is to never download software recommended by someone who phones you, purporting to offer technical support.
And never enable macros (software for automating various functions) in Microsoft Office.
It can also be a good idea to sign up for alerts from Cert NZ. The Crown agency caters to both home users and IT professions (for the latter, it's just issued a warning about possible ransomware vulnerabilities with two remote access technologies that many large organisations use to manage staff working from home during the outbreak.
Cert NZ was set up for education, but also to be used as a triage centre if you get hit by ransomware or another form of cyber attack.
You can get free advice on the best IT support and law enforcement contacts, and Ingram stresses that it's confidential. Start at cert.govt.nz/report.
While Cert recommends not paying a ransom, Ingram says if a business does pay up and get files back, it's important that they have their computers professionally inspected by an IT expert to determine if the attacker has planted any other malware, or if the attacker has created another way to access the business's data.
On human frailty
The human factor remains arguably large organisations' chief point of vulnerability.
After Toll Group got hit by ransomware in January (it would be hit again in May) its chairman John Mullen implied a compromised or corrupted employee could be to blame, telling the AFR: "It is an element of human behaviour that creates these entry points, or the chink in the armour, it is rarely the actual firewall that didn't work.
"People somehow get access to a master password, whether it's via guile or whether it's through criminal activity or bribing. They will use human weaknesses to get around the system."
The only response to the people threat is to assume that you will get compromised, sooner or later - which means take regular backups, check they work, and consider Cert NZ's suggestion for an old-fashioned cold backup.