Ransomware attack on New Zealand's IT provider impacts multiple government ministries and authorities

Ransomware08 Dec 2022

Mercury IT, a popular New Zealand-based managed service provider (MSP), suffered a significant ransomware attack that disrupted the daily operations of its clients, including several government departments and public authorities.In a recent statement, Corry Tierney, the director of Mercury IT, confirmed that threat actors gained access to the company’s internal network and launched a ransomware attack on November 30. The company immediately took all necessary steps to mitigate the situation.“This was immediately escalated to senior management. The incident was raised with relevant Government authorities, and we have engaged external specialist support.“Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment,” he said.New Zealand’s privacy commissioner confirmed that it was informed about the cyber security incident on the same day. “This is an evolving situation. Urgent work is underway to understand the number of organisations affected, the nature of the information involved, and the extent to which any information has been copied out of the system,” the watchdog said.The Office of the Privacy Commissioner is initiating an investigation to understand the scope of the ransomware attack, and the type of data compromised and identify the threat actors behind the security incident.“We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner,” the privacy commissioner added.Organisations that were impacted as a result of the ransomware attack included health insurer Accuro, BusinessNZ, the NZ National Nurses Association, and the Ministry of Justice. The Ministry of Justice said that the attack prevented them from accessing 14,500 files relating to the transportation of deceased people’s bodies and around 4,000 post-mortem examination files dating from March 2020 to November.The chief operating officer of the Ministry of Justice, Carl Crafar, said, “We are conscious that so-called malicious actors behind such activity can monitor public commentary on incidents of this nature so will not be providing more detailed information on our responses at this time.”Te Whatu Ora, New Zealand’s health ministry, was also impacted by the ransomware attack and was rendered unable to access data relating to bereavement and cardiac services. “While the above records are currently inaccessible, there is no evidence at this stage that they have been subject to unauthorised access or download,” the ministry said.“We would like to reassure the public that there has been no disruption to health service delivery and that all Te Whatu Ora health services are continuing to run normally.”The Ministry also added that other health regulatory authorities including the Optometrists and Dispensing Opticians Board of New Zealand, the Chiropractic Board, the Podiatrists Board, the New Zealand Psychologists Board, the Dietitians Board, and the Physiotherapy Board of New Zealand were also impacted by the cyber security incident.Commenting on the news, Raj Samani, SVP Chief Scientist at Rapid7, said, “This ransomware attack serves as a reminder to all businesses that they can be target of ransomware, irrespective of their size. Indeed, many small organisations form a critical part of the supply chain for larger organisations, and this provides criminals the opportunity to demand and extort large sums from victims. Understanding this economy allows ransomware operators to cause as much chaos and disruption as possible in the hope that this will motivate victims to pay.“Therefore, all businesses – no matter what their size – need to ensure that they operationalise cybersecurity. It must be seen as an essential part of the organisation’s processes and form part of the cost of operational running,” he added.