We highlight current cyber security threats in New Zealand, and provide guidance on what to do if they affect you.

1:35pm, 16 June 2020

TLP Rating: Clear

Businesses compromised through remote access systems

Many businesses use software that allows staff to access the business’ network remotely. Attackers are using this software to gain access to business networks, extract sensitive data, and encrypt files. They then demand payment for the data. 

These attacks can have a severe impact on your business operations, including downtime while your systems are offline, and operational data being stolen and sold. Recovering from one of these attacks requires significant time and money to investigate and completely remove the attackers from your network.

What's happening

Systems affected

Attackers access an organisation's network through their remote access software, such as remote desktop protocol (RDP) and virtual private networks (VPN). They gain access through weak passwords, a lack of two-factor authentication, or software that’s not up-to-date.

What this means

Once the attacker gains access, they move across different parts of your network and search for valuable information.

They use tools to create their own access to your organisation’s network. This means that even if you change passwords to your remote access the attackers will still be able to get inside the network. They then identify and extract sensitive information from your network without your knowledge. They may threaten to sell the information if you don’t pay their ransom, or use the information to affect the reputation of the business. 

What to look for

How to tell if you're at risk

Any business that uses remote access but isn’t using two-factor authentication and using strong passwords is at risk. The software also needs to be up-to-date to fix any security vulnerabilities that have been found.

How to tell if you're affected

You’ll know you’re affected when you get the ransom note. This may appear as the background image on your desktop, or as a text file which could be called something like NEFILIM-DECRYPT.txt or DECRYPT-FILES.txt

What to do


Ensure that all remote access systems:

  • have the most up-to-date software
  • strictly enforce two-factor authentication
  • use a strong, long password that isn't used anywhere else.


Make sure you have a recent secure backup of your critical data. This backup must be kept offline, and on a different network. However, due to the level of access gained before deploying ransomware, simply restoring data from backup won’t resolve the issue.

Fixing the issue will require an in-depth technical investigation of your systems to make sure the attacker can’t gain access your network, and to identify any security improvements to prevent another attack.

We have some actions we recommend you discuss with your IT company to implement for your business. Most of these actions will help prevent an attacker from gaining access to your systems or will limit the actions they can do once they have access.

Critical Controls 2020

More information

CERT NZ technical advisory about the ransomware

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link  

For media enquiries, email our media desk at or call the MBIE media team on 027 442 2141.