A gang called LockBit has posted a series time-pressure demands for money on the dark web, claiming to have files from clients to Wellington-based IT provider Mercury IT – which was hit by a ransomware
attack in late November, according to the Privacy Commissioner.
The attack compromised data from Mercury IT clients including contractors to Health NZ, some 14,500 coronial files and 4000 post-mortem reports according to the Ministry of Justice, the NZ Nurses Association (which represents 55,000 healthcare workers), BusinessNZ, the Wellington Chamber of Commerce and the affiliated Business Central, and some 30,000 customers of Wellington-based private health insurer Accuro.
LockBit is demanding US$999,999 ($1.54 million) within 10 day for files it says it has from Mercury IT. As of 4am this morning NZT, the gang’s counter had nine days and 20 hours left), according to Brett Callow, threat assessment analyst with Emsisoft – an NZ-based firm helping organisations grapple with ransomware attacks.
The gang was also demanding US$999,999 ($1.5m) for files from Mercury IT, US$199,999 for files from Business Central and US$99,999 for files from Accuro.
The Herald understands other organisations caught in the attack are also being shaken down.
It does not necessarily mean files from Mercury IT clients will be released onto the dark web if the firm (or clients) fail to cough up with 10 days.
Callow explains that LockBit’s modus operandi is to offer stolen files to all comers.
Mercury IT could pay US$999,999 to regain access to its files, with LockBit – supposedly – destroying any copies.
Advertise with NZME.
If another party – such as a cyber fraud or blackmail outfit – pays the US$999,999 before Mercury, then it gets the files.
But if no party pays the sum, then the countdown clock can be restarted.
LockBit also offers victims the chance to pay a smaller sum to extend the deadline by another 24 hours, or another week.
The GCSB’s National Cyber Security Centre is leading a multi-agency investigation. The agency had no update this morning bar that it continued to work with organisations impacted by the Mercury IT breach.
Accuro: ‘Taking steps’
“We are making no comment on the ransom,” Accuro chief executive Lance Walker told the Herald this morning, when asked about LockBit’s US$99,999 demand.
It marked the first time his firm had used the “r” word. (It was new Privacy Commissioner Michael Webster who outed it as a “ransomware attack” on December 6 as he revealed his office planned to open a compliance investigation).
Walker, whose firm has previously refused to say if it is in ransom negotiations or not (a different policy from the Waikato DBH last year, which ruled it out), declined further comment.
In a statement posted to Accuro’s website this morning, after the Herald’s initial article, Accuro reiterated it was “aware that the third-party responsible for the cyber-security incident impacting Mercury IT, has disclosed some information belonging to Accuro online.
Advertise with NZME.
Walker said in the statement, “We are assessing the data to determine who the information belongs to and taking steps to have the disclosed information removed where possible.”
Customers whose data had been compromised would be contacted, and advised.
Walker reiterated that his firm had cyber-security and forensic IT experts and was working with Government agencies.
High Court order
Mercury IT declined comment today. The Herald is seeking comment from other organisations involved in the November hack – but there has already been a sign that government agencies are aware of any immediate risk of files being spilled into the public domain.
Last week a High Court judge issued a blanket order compelling anyone who may have received hacked health data or coronial inquest files – or any client files spilled in the Mercury IT breach – to immediately delete them. The order extended to media.
The order by Justice Christine Grice said anyone who received the files or who may receive the files in the future cannot access, look through or filter the records in any way.
Callow said he did not seek to access any “taster” files offered by LockBit, mindful of a court order.
While it’s rare for ransomware attackers to be brought to justice – in part because many operate from Russian or Eastern European countries with limited cooperation with the West – there was a recent arrest involving LockBit’s alleged global ransomware campaign.
A criminal complaint filed in the District of New Jersey was unsealed on November 10, charging a dual Russian and Canadian national for his alleged participation in the LockBit global ransomware campaign, according to a US Justice Department statement.
Mikhail Vasiliev, 33, of Bradford, Ontario, Canada, is in custody in Canada and is awaiting extradition to the United States.
“This arrest is the result of over two-and-a-half-years of an investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said Deputy Attorney General Lisa Monaco said. BitLock first emerged in January 2020.
The arrest does not appear to have crimped LockBit. Six days ago, with Vasiliev still awaiting extradition, the gang claimed to have stolen 76GB of data from the California Department of Finance, including databases, confidential information, financial and IT documents and, cryptically, “sexual proceedings in court”.
While US authorities managed to produce enough evidence to gain a warrant for Vasiliev’s arrest, Callow says “not all of LockBit’s past claims have been true”.
Privacy Commissioner leans toward change
Emsisoft’s Callow is among those who have suggested circuit-breaker moves to stop the relentless waves of ransomware, including making it illegal to pay a ransom.
On October 22, Kordia chief information security officer Hilary Walton (who has since decamped to Microsoft) pointed cross the Tasman, where Australia’s privacy legislation allows for a fine of up to A$2.2m – and even possible jail time for executives involved – for a health data breach. New legislation raises the maximum fine to up to A$50m. The tightening follows major data breaches at Optus and health insurer Medibank.
Last week, the Privacy Commissioner said NZ should consider raising its current penalty of $10,000.
Webster’s predecessor, John Edwards, proposed $1m fines with a 2020 revamp of the Privacy Act, but the idea was knocked back by the Government.
The new Privacy Commissioner said last Tuesday: “I am certainly very interested in looking at the role that a financial penalty regime consistent with New Zealand consumer law could have, in terms of punishing people for poor management of people’s personal data.”
Webster added: “These regimes exist in many other jurisdictions.”
No mood for big moves
The Government has so far resisted change, however.
On making it illegal to pay a cyber ransom, Justice Minister Kiri Allan told the Herald: “While the Government understands making payments for cyber ransoms may be perceived as encouraging further attacks, taking criminal action against the victim raises issues of fairness in regard to making a victim a criminal when they are attempting to protect their business and livelihoods by making the payment.
“As such, there aren’t any current plans to criminalise those who pay cyber ransoms,” Allan added.
And on fines for firms that lose data to thieves because of poor levels of protection, Allan said: “Penalising those who fail to take sufficient steps to protect their data with substantial fines is not currently a priority for me as Justice Minister.”
Police and Crown cybersercurity agency Cert NZ advise against paying a cyber ransom, saying to do so incentivises and funds further offending, and provides not guarantee you’ll get your data back – or that it will not be used in a future extortion or blackmail attempt.
The Crown-based ID Care offers advice and support for anyone who thinks they are at risk of identity theft or fraud following an online scam or data breach.