- Posted April 28, 2023
- Security Advisories
This article was originally posted on May 31, 2021. It was updated on April 28, 2023.
Government guidance on cyber ransom payments
In April 2023, the New Zealand Government issued new guidance on ransomware for public service agencies, which can be found at the link below.
Government ransomware guidance(external link)
It is the Government’s expectation that public service agencies will not pay cyber ransoms. Any ransomware incidents experienced by Nationally Significant Organisations (NSOs) and public service agencies should be reported to the National Cyber Security Centre at the link below.
Report an incident to the National Cyber Security Centre
For the general public, including individuals and businesses, ransomware attacks are a criminal act and should be reported to NZ Police using their online reporting tool at the link below, or by calling 105.
Report an incident online to NZ Police(external link)
CERT NZ is able to provide advice to victims who have been attacked and assist them to work out what they do next. Reporting incidents to CERT NZ also helps New Zealand keep track of cyber security trends. You can report cyber incidents to CERT NZ at the link below.
Report an incident to CERT NZ(external link)
Preparation is everything
High-profile ransomware incidents, both in New Zealand and abroad, offer a reminder to all New Zealand organisations about the importance of information security and cyber resilience. Preparation is everything. Your organisation needs to practise defence in depth to protect your systems and people against malicious cyber activity, and to be prepared for an incident should one occur.
Defence in depth
There is no one control that can be put in place to protect your systems from ransomware, and so the NCSC recommends a defence in depth approach to reduce the risks for your organisation. This involves:
- Layered defences that are capable of stopping malicious activity at different points at the boundary of and within networks; and
- Segmenting networks to limit the access a malicious actor has if they gain access to one part of your network, and
- Appropriate monitoring to enable the prompt identification, investigation and response to malicious activity when it occurs.
Your organisation should already be developing good information security practices and principles, such as user access management, the zero-trust model, and legacy platform management.
Addressing the ransomware risk
As well as encrypting your data for ransom, ransomware actors will often exfiltrate (steal) your data prior to installing ransomware on your network. Actions that your organisation can take now to mitigate these risks include:
- Reviewing your systems to determine where sensitive information is stored (such as personally identifiable information, login credentials, and intellectual property) to inform an assessment on the risks associated with data exfiltration. This includes the potential loss of commercially sensitive data, as well as risks to the privacy of customers and employees, and the security of information systems on your own network and those of organisations they interact with. Consider whether encryption of your information is an option, both in transit (travelling across the network) and at rest (stored).
- Reviewing your organisation’s security posture in relation to a ransomware event. Does your organisation have any risk mitigation strategies or security uplift projects that could be more highly prioritised? Are there any patches or upgrades to critical systems which were previously deferred that can be brought forward?
- Re-emphasising security awareness. The NCSC recommends staff be reminded about security awareness. Ask them to be vigilant and tell them how to contact your organisation’s security teams should they receive any suspicious communications or see any strange activity on your organisation’s network. CERT NZ has guidance available on phishing scams here(external link).
Incident management
Even if an organisation is up to date with patches and upgrades to critical systems, new zero-day vulnerabilities are frequently identified. This means your organisation should be well-prepared to manage an incident, with the perspective that one will eventually occur. The NCSC provides advice on how to approach this area of organisational planning in our Incident Management: Be Resilient, Be Prepared guidance document. Actions that your organisation can take now to be better prepared include:
- Reviewing your incident management plan. At the core of effective incident management is a well-established and tested plan. Your organisation should have defined roles and responsibilities for anyone involved, which will help identify what actions need to be taken should an incident occur, as well as who needs to be informed and when.
- Reviewing your organisation’s back-ups process. Regular testing of back-ups is an important way to have confidence in your organisation’s ability to respond to, and recover from, a ransomware event. Your organisation should understand the process of restoring from back-ups and have tested the process to ensure it can be done at pace.
Additional resources
The NCSC addresses some of the key development areas in cyber security for New Zealand organisations in our Charting Your Course: Cyber Security Governance and Supply Chain Cyber Security: In Safe Hands guidance documents.
More specific information on security controls can be found in the New Zealand Information Security Manual (NZISM)(external link), the New Zealand Government's manual on information assurance and information systems security, which is an integral part of the Protective Security Requirements (PSR) framework(external link).
Our partners have additional information relating specifically to ransomware, as follows:
How ransomware happens and how to stop it(external link) (CERT NZ)
Ransomware guidance and resources(external link) (Cybersecurity & Infrastructure Security Agency USA)
Ransomware case studies and advice(external link) (Australian Cyber Security Centre)
Mitigating malware and ransomware Attacks(external link) (National Cyber Security Centre UK)
Ransomware: Don’t get locked out(external link) (Canadian Centre for Cyber Security)
Ransomware: How to recover and get back on track(external link) (Canadian Centre for Cyber Security)