Understanding the Waikato DHB ransomware attack
Chris Keall wades through the shadowy world behind the Waikato DHB ransomware attack
What is ransomware?
Ransomware is software that encrypts files on a company’s network, rendering them inaccessible. The cyber attackers then demand money to decrypt the data — in the order of hundreds of dollars if you’re an individual, or millions if you’re a large organisation. Attackers will also typically lock admin accounts — the better to undermine restoration efforts — and lock users out of digital phone systems, email, databases and other services.
How does ransomware get into a network?
Attackers trick staff into inviting it in, usually by clicking on a malicious email attachment which might be imitating a regular invoice or other file you’re used to seeing — so you have to be hyper-alert to anything suspicious about an attachment. And unfortunately, that also applies to email from people in your address book as their accounts may have been hijacked.
Why not just restore from a backup?
The attackers often take control of admin accounts at the same time, locking out an organisation’s IT staff so they can delete backups on a company’s network, or on a cloudbased service. That’s why a government agency called Cert (the Computer Emergency Response Team) recommends a “cold backup”. That is, at least one backup of your files that’s stored offline — although that’s easier said than done these days, when many companies have far to many files to simply whip on to a portable hard drive.
Why has there been an upsurge in ransomware?
Cert NZ tracked a 65 per cent increase in cyber-attacks over 2020, compared to 2019, with ransomware one of the growth categories as companies like Toll Group, Lion and Fisher & Paykel Appliances got hit. AUT computer science professor Dave Parry said the upsurge could be pinned, in part, on Covid. The pandemic saw staff scatter to homes, where they often worked on dated or otherwise insecure computers, opening security gaps.
At the same time, lockdowns meant that organised crime gangs in Eastern Europe were losing a lot of their opportunities for real-world shakedowns, so turned to online extortion to help fill the gap.
Why do attackers so often seem to come from Eastern Europe
Parry says Eastern European and former Soviet Union states have a ransomware gang-friendly mix of “weaker legal framework, lots of very good mathematicians and large-scale organised crime”.
Do organisations pay up?
Yes. Many. Ciaran Martin, the former head of the National Cyber Security Centre, the British government’s cybersecurity agency, said: “There are three problems contributing to the ransomware crisis. One is Russia sheltering organised crime. A second is weak cybersecurity in too many places. But the third, and most corrosive, problem is that the business model works spectacularly for the criminals.”
A laundry-list of corporates have forked over cash to the crims.
This month, the CEO of Colonial Pipeline — which supplies around 45 per cent of the fuel to the East Coast of the US — admitted his company had paid US$4.4 million ($6.1m) to ransomware attackers to regain control of its systems, and restart the flow of gasoline to thousands of service stations drained by panicbuying.
In July 2020, it was reported that Garmin — the multinational maker of fitness trackers for gym junkies and avionics systems for small planes — reportedly paid a US$10m ransom.
The same month, Blackbaud — a Nasdaq-listed company that stores donor files for non-profits — said in a market filing that it had paid an undisclosed ransom for the return of files (which included those it was managing for Auckland and Otago universities).
Earlier in the year, Air New Zealand foreign exchange partner TravelEx reportedly paid a US$2.3m ransom (Air NZ said none of its customer files were exposed in the attack). The list goes on.
Bitcoin critics say that’s just another reason governments should regulate digital currencies.
Why are payments always in bitcoin?
Because cryptocurrency is an easy mechanism for untraceable payments to anonymous parties. (Ransom notes typically demand an amount framed in US dollars — the better to make easily comprehensible, and to avoid the wild swings in bitcoin valuation.)
Is the Waikato DHB right to refuse to pay up?
The Government has backed Waikato DHB CEO Kevin Snee, who says his organisation won’t pay up — despite the attackers having proved they have patient files in their possession, and a reported threat to attack the 19 other DHBs if the ransom demand is not met.
Police say that’s the right stance. If you pay up, there’s no guarantee you’ll regain access to your files and, more, that paying a ransom only incentivises more offending.
What’s the best way to stop the ransomware wave?
Brett Callow, a threat analyst with Emsisoft — a Nelson-based company that offers anti-ransomware tools — says there’s one clear way to stop the attacks.
“The most effective way for [any government] to combat cyber attacks would be to prohibit the payment of ransoms,” he says.
“Cybercriminals are now in a ransom-fuelled feeding frenzy and the easiest and quickest way to stop their attacks is to cut off the cash.
“While prohibition . . . would undoubtedly cause some short-term pain, I’ve seen [no other solutions] that would realistically bring this steadily worsening problem under control — at least, not quickly.”
So will our Govt make it illegal to pay a ransom?
No. Soon after the Waikato DHB attack, Justice Minister Kris Faafoi said he was “not considering making it an offence to pay a ransom or facilitate payment of a ransom in the event of a ransomware attack”.
Why not?
“While the Government understands that making payments may be perceived to encourage further attacks, criminalising the victim of a ransomware demand raises issues of fairness about making a victim a criminal if they are trying to protect their business and livelihood — and, possibly, essential infrastructure — by making such a payment,” Faafoi said.
Officials were monitoring the situation, Faafoi said, and there would be an assessment of the effectiveness of any law changes offshore.
If an organisation pays a ransom, is that the end of it?
Often not. Brian Honan, the head of Ireland’s Cert, told the Weekend Herald payment of ransom could mean an organisation regained control of its files — but also that the attackers will inevitably have made copies they can sell to other criminals, or use to blackmail individuals.
Honan speaks from direct experience. Ireland is grappling with an attack on its national health service that began on May 14 — which has seen at least 27 patient records spilled online. And Honan points out a ransomware attack on a chain of psychological counselling clinics in Finland in October 2020 resulted in patients being emailed threats that their therapy notes would be published online if they didn’t pay €500 ($838) within 48 hours. Around 30 paid up. Another 100 — including politicians and celebrities — had embarrassing details spilled on to the public internet.
Waikato DHB — after last weekend saying there was a low chance of stolen files — now acknowledges example records sent to media are genuine. It is offering counselling for those affected.
The GCSB has our backs, right?
The GCSB’s remit includes keeping the state sector and some 250 (unnamed) organisations, including key exporters, safe from hackers — and the spy agency’s National Cyber Security Centre (NCSC) unit has duly been dispatched to help the Waikato DHB, just as last year it helped the NZX and the Reserve Bank recover from cyber attacks.
The GCSB’s core defence is a system called Cortex, first deployed in 2011 and described by former Prime Minister John Key as a “Norton AntiVirus at a very high level”, wrapping protection around NZ.
But last year, an ex-GCSB staffer told the Herald that Cortex is now getting “long in the tooth”.
He saw the agency struggling for skilled staff as corporate New Zealand, newly attuned to cyber threats, poached its employees.
And he also saw the Crown antihacking effort undermined by a fragmented, multi-agency approach.
NetSafe chief executive Martin Cocker recently took a similar line, telling the Weekend Herald: “We have a lot of agencies doing . . . a lot of good stuff, but one of them needs to take a lead role.”
What’s up with Australia’s warfooting against cyber-threats?
Last June, Australian Prime Minister Scott Morrison announced a A$1.35 billion ($1.4b) boost for efforts to defend the country’s public and private networks against hackers.
The new funding included A$470m to create 500 new jobs within the Australian Signals Directorate, the agency responsible for repelling cyber-attacks. That will take its total staff to around 2500.
How does it compare to NZ?
The Australian response was admittedly driven by a fear of alleged hacking by a state actor — China — as much as ransomware and other organised crime efforts.
But nevertheless, when it comes to increases in spending, Australia vs NZ is a case of billions vs millions.
Cert NZ was set up in 2016 (under the National-led Government of the time) as a “cyber-attack triage unit” with a $22.2m budget. That was increased by $9.3m over four years in Budget 2019.
Budget 2019 also marked $8m over the next four years “to help implement Cyber Security Strategy.”
Budget 2020 included a $146m increase over four years for the intelligence agencies. That is, the domestic-focused NZSIS and the GCSB. As the larger agency, the GCSB got $100m of funding, or $25m a year more over four years. Part of that new funding will be used for cybersecurity initiatives, but a spokesman for the spy agency would not say how much, citing security concerns (for the same reason, the GCSB will not say how many of its 500-odd staff work for the NCSC.)
Budget 2021 featured no cybersecurity initiatives.
Are directors on the hook if a company gets hacked?
Yes. Forget about blaming the geeks in IT for not doing their job.
“While directors do not have any specific legal obligation to lessen cyber threats or mitigate the impact of a cyber attack, cyber risk is no different to other areas of risk faced by organisations,” Bell Gully partner Tania Goatley says.
“Directors owe a broad duty to exercise the care, diligence and skill that a reasonable director would exercise in the circumstances. So they need to understand the specific cyber risks, determine cyber risk appetite, and take appropriate actions to deal with the risks.
“Regulators like the Financial Markets Authority have made it clear that boards are ultimately responsible for overseeing cybersecurity.
“Under the Privacy Act 2020, any organisation that holds personal information must ensure it is protected by reasonable safeguards to protect against these sorts of cyberattacks.”
Where should I turn if I’m hit by ransomware?
Cert NZ will put you in touch with the right law-enforcement contacts, and offer advice about where to seek help.
How do I get my defences up to snuff ?
Multiple Crown agencies offer advice on getting your computer system in shape, including the NZ Police,
NetSafe, Cert NZ and the GCSB.
The mantras include keeping all of your systems up to date — not just your security software; using unique, hard to crack passwords for every service; constantly educating staff on good security hygiene, including a deep suspicion of all email attachments and links to unfamiliar websites, and including a range of backups — including some files safely offline.
But Honan says the most important point is to assume that one day you’ll be hit. That means checking your backups work, and wargaming how you would make contact with customers and partners. “Regularly testing your restore procedures, running exercises which simulate a ransomware attack, and also including ransomware attacks as part of your . . . continuity planning.”
Why target hospitals?
Over the past year, hundreds of health providers around the world have suffered ransomware attacks.
Why are they such an attractive target? With lives at risk, hospitals are under more urgent pressure than most organisations to pay up.
Private providers can be juicy targets.
“And in a case like the Waikato DHB, the attackers will be hyperaware that a government-backed organisation providing critical healthcare can only be down for so long. They know the pressure is mounting publicly and that is an incentive to pay up. It’s all part of a very well-rehearsed plan,” NortonLifeLock’s Mark Gorrie says.
And Theta’s Jones adds there’s the added appeal — from a criminal’s perspective — that individual patients can be extorted if they have sensitive or embarrassing records.
Is there a simple step we can take as a nation?
The Waikato DHB attack spurred Health Minister Andrew Little to call a meeting of top government officials, known as Odesec (for Officials’ Committee for Domestic and External Security Co-ordination) on May 26, eight days after the initial attack.
It coincided with the Privacy Commissioner warning all district health boards to urgently fix their IT vulnerabilities amid what has become the country’s biggest-ever cyber attack.
Ayers welcomed that politicians were finally acknowledging the situation was a national crisis, but was also suspicious the reviews of DHB systems would turn into a delaying tactic, with results withheld until the public’s attention had turned elsewhere.
Ayers said the GCSB had an excellent online guide to beating cyber attacks, but questioned if the agency, and the Government as a whole, was doing enough to publicise it. There was little public education over cyber-risks.
“Even now, Little could come out and say ‘Here’s the advice we developed last year on how to protect against ransomware. Everyone in NZ must follow it’. Why doesn’t he do that? Could it be politically inconvenient to do that, which would highlight the failings of Waikato DHB in which the ministry intervened?”
What happened to the plan for a cyber-czar?
In 2018, there was an attempt to take things by the scruff of the neck.
Then Communications Minister Clare Curran sought to cut across the alphabet soup of digital titles and agencies in security and other IT areas by appointing a chief technology officer with sweeping powers to shape strategy in cybersecurity and other areas.
That effort fell on its face as appointee Derek Handley was handed a $107,500 payout as the Government had a last-minute rethink.
After Curran was shuffled off stage left, it was ultimately decided the CTO role should be replaced by a “Digital Council” of lowish-profile IT industry figures who were appointed in February 2020 without fanfare.