New research shows many New Zealand firms would be willing to pay a ransom to retrieve data that been stolen, or encrypted, by hackers.
A global study of 2700 business executives worldwide, commissioned by French multinational Thales, found one-third of companies in its NZ sample had paid, or were willing to pay, a cyber ransom.
The pandemic has created an upsurge in ransomware, as hackers exploit security gaps that have emerged through hybrid working, and an environment in which businesses - and the likes of hospitals - needed their systems online more than ever. Targets included the Waikato DHB to the likes of Lion, Toll and Fisher & Paykel Appliances - all of whom refused to engage with their attackers and suffered significant disruption.
Earlier this week, the Government's Computer Emergency Response Team (Cert NZ) said in its first-quarter report that ransomware attacks were up 31 per cent compared to the first quarter of last year. That equated to 17 attacks, although Cert NZ director Rob Pope has also said reports to his agency are only the "tip of the iceberg" of offending.
"Criminalising the victim"
Last year, as Waikato Hospital struggled for weeks to restore its systems, there were calls for it to be made an offence to pay a cyber ransom.
Then Justice Minister Kris Faafoi rejected the idea.
"While the Government understands that making payments may be perceived to encourage further attacks, criminalising the victim of a ransomware demand raises issues of fairness about making a victim a criminal if they are trying to protect their business and livelihood - and, possibly, essential infrastructure - by making such a payment," Faafoi said.
Thales Australia-New Zealand cloud security director Brian Grant says there are other tools at our Government's disposal, even if was unwilling to outlaw ransom payments.
One was making it mandatory to disclose any payment to ransomware hackers.
Currently, New Zealand - under the update of the Privacy Act that came into force in December 2020 - has a legal requirement for mandatory disclosure of a data breach, but no similar provision to fess up that you've made a cyber ransom payment.
Across the Tasman, the Ransomware Payments Bill is slowly winding its way through Parliament. It requires any ransomware payment to be reported to the Australian Cyber Security Centre. There's no equivalent legislation in the works here.
Those who have coughed up
Elsewhere, the situation is spotty. In the US, where Congress and several states are considering bills that would make it illegal to pay a cyber ransom, or compulsory to disclose a payment, Colonial Pipeline paid off hackers to unshackle the systems controlling its fuel pipeline, and get "gas" flowing again to thousands of service stations on the east coast. The firm did not disclose an amount, but the New York Times reported it was "approximately US$5 million" (NZ$7.65m).
After Nasdaq-listed Garmin was hit by ransomware in 2020, multiple US publications reported the maker of fitness trackers, plus navigation systems for aircraft, had paid a US$10m ransom (the company did not comment).
In 2020, another Nasdaq-listed company, donor-management firm Blackbaud, disclosed it paid to retrieve data from customers including Auckland University and Otago University, who use the service for alumni data.
"Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed," Blackbaud said in a statement (Auckland University and Otago University both said, like other Blackbaud customers, they were not party to the decision.)
And after TravelEx was hit by a ransomware attack in early 2020, it initially looked like the London-based foreign currency exchange firm was going to grit its teeth and go through the pain of restoring its systems rather than pay a demand for US$6m. But the Wall Street Journal later reported that, faced with the dawning realisation its payment systems could be disrupted for weeks, TravelEx did in the end pay US$2.3m (TravelEx declined to comment on whether it paid a ransom. Travelex, was at the time, the issuer of Air New Zealand's OneSmart card, a credit card that can be pre-loaded with up to eight foreign currencies. The airline said none of its customers' data was put at risk. It has since switched issuers to Australian firm EML Payments).
Police: Don't pay up
NZ Police and Crown cybercrime agency Cert NZ recommend those hit by ransomware do not pay.
Paying up both incentivises and funds further offending.
Data may not be unencrypted or returned as promised, and the proceeds often go to criminal gangs, helping to sustain operations in other areas such as drug and human trafficking.
Copies of data might not be destroyed, but instead used for blackmail, and returned data can be booby-trapped to allow future access to an organisation's network, Cert NZ says.
The case for paying up
Nevertheless, at the time of the Blackbaud ransom payoff, Wellington lawyer and cyber specialist Michael Wigley told the Herald "it's a tough, two-edged call to pay the ransom - but I can understand why they decided to pay".
In some cases, you could even argue there was a legal duty to protect clients' data, Wigley said.
Similarly, an Institute of Directors New Zealand advisory on "The Ransomware Dilemma" notes the usual arguments against paying a ransom, but also offers two arguments for forking over the cash (or, more likely, bitcoin).
"Cyber attacks should be considered a business risk. As such, some businesses may be prepared to pay the ransom as a business cost. Organisations which do not carry customer data, or can ascertain that no important data has been stolen, may determine it is cheaper to pay the ransom than restore their systems from backups," it says.
"Other organisations may make a decision – based on a risk assessment – to pay the ransom to resume normal business operations as soon as possible. For them, the risk of customer data or sensitive information being leaked online, or the time needed to restore systems from backups will have been determined to have a greater negative impact than simply paying the ransom."
At the time of Blackbaud attack, Wigley said the anecdotal evidence was that many ransomware operators did, in fact, release data after a payment. After all, they had a regulation, of sorts, to uphold.
This week, Grant told the Herald that many ransomware gangs ran slick operations.
"They even have help desk numbers," he said.
Regulators can step in - to shame or fine
The survey for Thales found half of NZ respondents had no ransomware plan.
Grant notes that beyond brand damage and business disruption, you can get in regulatory hot water too.
After financial planning firm RI Advice suffered a ransomware attack, and was then hit by hackers again after failing to upgrade its defences, the Australian Securities and Investments Commission (ASIC) took it to Federal Court in 2020, alleging it had breached its obligations as a financial services licensee.
In a decision released earlier this month, the court ordered RI to fork over A$750,000 and directed to hire an outside cyber-security expert to review its systems.
A 2019 law change meant ASIC can pursue a business that breaches its financial licensee obligations for civil penalties of up to A$11 million or up to 10 per cent of its turnover (to a A$555m cap).
Our equivalent to ASIC - the Financial Markets Authority - can't ding a company with a financial penalty per se if its cyber-security is not up to snuff. But the agency can order one of the companies it regulates to take remedial steps to improve its cyber-defences, and there could be a major financial penalty if that order is not complied with.
"If the FMA issued a direction order for the breach of a licence condition relating to cyber-security and the direction order was not complied with, the maximum penalty would be $600,000, or $200,000 for an individual," an FMA spokesman says.
"The parties would make submissions on an appropriate penalty and cases depend on a wide range of factors, which is ultimately for the court to determine."
After the DDoS attack on NZX in 2020, the FMA required the exchange to develop a formal action plan to address security issues by the regulator, which it said included under-investment in cyber-security and inadequate crisis planning.
An FMA report was scathing, but events otherwise stayed on a constructive level, with the regulator saying it was satisfied with the exchange's response.
In another case, the Reserve Bank became the first organisation to be hit by a Compliance Notice from the Office of the Privacy Commissioner. The September 2021 sanction came after the watchdog found the RBNZ had failed to take reasonable steps to protect against the disclosure of personal information as it relied on an out-dated third-party tool for sharing files.
The NZX's inadequate preparation for a cyber attack, and its aftermath, put it in the same boat as around half of the Kiwi companies included in the survey for Thales.
Grant says a related issue is that most don't know where all data sits, a problem compounded by smartphones and other BYO devices, and private and work accounts being mixed at random in the cloud.
"As the threat of cyber attacks continues to grow, the reality is that cyber-awareness training, paying ransoms, and other outdated approaches are not mitigating risk amongst data-dependent organisations," Grant says.
"Staff turnover and inconsistent skills, combined with advanced social engineering by attackers makes cyber awareness ineffective, while paying a ransom only fosters more criminal behaviour."
It's encouraging that many businesses have increased security budgets and devised cyber-incident response plans, "but a worrying lack of effective data security continues to leave gaping holes for criminals to exploit," he says.
2022 Thales Data Threat Report highlights
• Only half of New Zealand businesses (51 per cent) have a formal ransomware plan and one in four (40 per cent) have added additional budget for ransomware tools.
• Nine in 10 (89 per cent) IT leaders admit they don't have complete knowledge of where their data is stored.
• Data breaches remain high in New Zealand - 25 per cent of businesses have experienced a breach in the past 12 months and 100 per cent of attacks have affected internal and/or external operations.
• The vast majority (72 per cent) of businesses remain concerned about the security risks of an increasingly remote workforce.
• Over half (55 per cent) of businesses expect to spend future security budgets on zero trust and cloud single sign on technologies as a priority, followed by data in transit (40 per cent).
From a survey of 2700 executives, across 17 countries including NZ, carried out by 451 Research in January 2022. The majority of respondents were in organisations with 500 to 10,000 staff.
How the crypto crash is affecting hackers' behaviour
The value of bitcoin has more halved since November, with the value of one bitcoin to the US dollar falling from above $64,000 to below $30,000.
Grant says the crash has fuelled hacker inflation. A ransomware gang that used to demand 100 bitcoins from a corporate target will now seek 300.