Quarter Two Report 2021

While most ransomware incidents don’t report direct financial loss, the costs of recovery can be significant, and include data loss and operational impact.

Ransomware is a type of malicious software that can get into a computer system in a number of ways. For instance, when someone clicks on a link or attachment in a phishing email, or through weaknesses in out-of-date software. Once ransomware has infected a computer it encrypts files so they can’t be read or accessed. Then a ransom is demanded for the files to be restored, with costs varying from a few hundred to millions of dollars. As reflected in CERT NZ data, these types of attacks have grown in number and impact over the past two years. Attacks on businesses and organisations around the globe have increased in scale and severity, impacting private and public services, and disrupting the lives of many people.

Why is it increasing? Ransomware attacks are financially motivated. In some instances, ransoms have been paid. This has resulted in an increase of criminal groups carrying out these attacks. How it works? Different ransomware variants use different techniques to try and access devices and encrypt files. However, there are some common ways this happens, and most ransomware attacks follow one of a few predictable paths – see the following diagram

1. Keep your operating system and apps up-to-date. You can set this up to happen automatically with major operating systems like Windows and MacOS, and common applications like Office.
2. Make sure you back up your files regularly to an external hard drive or cloud service. Keep your backup disconnected from your computer. That way it can’t be destroyed in an attack, and you will be able to restore from backup if you need to.
3. Install antivirus software and update it regularly.
4. Talk to your IT provider about applying the CERT NZ critical controls that are relevant to your business.

CERT NZ’s IT specialists’ guide on how to stop ransomware: How ransomware happens and how to stop it

If you think you’ve been affected by ransomware, you can report it to CERT NZ www.cert.govt.nz/report External Link .

In a recent case, a medium-sized retail store was targeted by a ransomware. An employee went to activate the office computer and encountered a black screen with icons. When hovering over the icons, pop-ups appeared with a prompt to click on a link to pay a ransom, in Bitcoin, to recover the files.

The employee didn’t click any icons or attempt to make payment. Instead, they phoned a colleague and waited for IT assistance. IT identified the files had been encrypted and the likely source of the ransomware was an insecure service accessible from the internet, meaning the business’s computer system was exposed. As the computer had been left idle and connected to the internet, attackers had taken the opportunity and exploited the service.

Although the business regularly backed up files, unfortunately the hard drive had been left connected to the computer, meaning that not only were the files on the computer encrypted but the backup files also. The ransomware also affected business systems including a retail programme which recorded inventory and synced with the e-commerce part of their website.

In response, the retailer took the business offline and removed all files and programmes from the infected machine. The business had to rebuild their supplier and customer databases from scratch, as well as do a full stocktake to rebuild inventory. With additional support from their point-of-sale provider some files were able to be recovered.

Although the business didn’t pay the ransom, the impacts of the attack did have financial implications and resulted in significant data loss and operational impact.

As a result of the ransomware attack, the retailer is now taking additional steps to secure their system. For example by backing up all data regularly and keeping these backups disconnected from the network, applying security and installing antivirus software. In addition to these steps, the retailer is keeping staff up-to-date on cyber security practices like keeping backups offline.

These cases show how easily a ransomware attack can happen, and that anyone can be a target. However, it’s not all bad.

Protect your business from ransomware

Brute force is a method attackers use to guess passwords to access online accounts and internet-enabled devices.

In the case of internet-enabled devices, the attackers begin by scanning the internet for accessible devices. Once an accessible device is identified, the attacker will use brute force software to repeatedly guess the passwords. This can take anywhere from a few seconds to hours. The stronger the password is, the longer an attack will take and the more likely an attacker is to give up before guessing the password.

If the brute force attack succeeds, the attacker can then carry out a wide range of malicious activity depending on what is accessed. This can include accessing private data like footage from internetconnected security and TV cameras. Attackers can also use the infected device to spread further malware and brute force other devices.

These types of scams happen when attackers attempt to trick people into sending money to take part in fake cryptocurrency-investment opportunities and exchanges.

These scams are often distributed by emails, text messages, phone calls or through fake websites. They advertise cryptocurrency- investment opportunities with substantial and guaranteed financial returns, or offer direct sales of cryptocurrencies like Bitcoins, Litecoins or other altcoins, which don’t result in any transfer once payment is made.

Many of the cryptocurrency-investment scams reported to CERT NZ use common scam techniques. For example, the language used in the scams often replicates investment style communications to appear legitimate. They also often create a sense of urgency to encourage the recipient to act quickly and not miss out on the ‘investment opportunity’. These scams are becoming more difficult to spot, and in some cases, the recipient may not realise the scam until the attacker ceases to respond once payment has been made. In other cases, the scam may not be apparent until the target requests to withdraw their investment.

Following their request, the scammer asks them to pay a withdrawal fee, as a way to steal more money, and this doesn’t result in any return of the investment.

Protecting from cryptocurrency-investment scams

• Be wary of any investment opportunities sent by someone you don’t know, or that seem out of character for someone you do know. If you’re unsure, contact the sender to check first.
• Cryptocurrencies are high risk and highly volatile – the price can go up and down very quickly. Investment opportunities offering high, guaranteed returns are likely too good to be true.
• All unsolicited marketing emails in New Zealand are illegal so if you receive an investment offer from someone you’ve never been in contact with, it’s likely illegitimate. What to do if you think you’ve been caught up in a crypto-currencyinvestment scam
• Contact the service provider for your online accounts – like your bank or your email provider. Let them know what’s happened and ask what they can do to help.
• Cease any communications and payments with the sender.
• Change the passwords for any online accounts you think may have been affected by the scam.
• Get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you’ll have to contact all of them. You can ask to have your credit record corrected if there’s any suspicious activity on it.