28 May 2021

Waikato DHB data breach likely 'seven ... eight figure' cryptocurrency ransom - expert

6:27 pm on 28 May 2021

The ransom demand for Waikato DHB's hacked data would likely be in the millions or even tens of millions of dollars, and only payable by cryptocurrency, a cyber-security expert says.

Waikato District Health Board notice of outage of systems from cyber attack.

Waikato District Health Board notice of outage of systems from cyber attack. Photo: RNZ / Andrew McRae

Stuff is reporting that the Ministry of Health has identified the ransomware used in last week's cyber attack as one called "Zeppelin", which the Minister of Health is not denying.

Fabian Wosar from cybersecurity company Emsisoft said if it was confirmed, it would be the biggest Zeppelin data breach he had heard of.

Wosar said the hackers clearly knew what they were doing and who they had hit.

"They probably also have a good understanding of how valuable the data is that they've taken. I wouldn't be surprised if this is a seven, maybe even an eight-figure ransom. It'll almost certainly be through cryptocurrency whether that's monero or bitcoin."

Wosar said the Zeppelin ransomware was a "kit" that could be bought on dark web marketplaces.

"A lot of people who purchase these kits, they never purchase the updates. Especially older versions of Zeppelin have certain vulnerabilities that would allow a company like us to recover the data and decrypt the data without the involvement of the threat actor, meaning without them having to pay any form of ransom," Wosar said.

The company contacted New Zealand authorities to offer its services.

Wosar said regardless of how and when the health board got access to its data, it would have been copied by the hackers, and may well be elsewhere online.

Health Minister Andrew Little, who is also minister responsible for the spy agencies, would not answer a question about whether he had heard that the ransomware was Zeppelin.

"Look, we know that it is a ransomware attack, there are different families of ransomware... part of the job of the National Cyber Security Centre in their investigation is to understand exactly what happened, what the malware was that was installed, how it operated, how long it's been there, and the harm that's been done.

Little said the DHB was making good progress recovering its lost data and restoring its IT system.

In a statement, Ministry of Health deputy director-general data and digital Shayne Hunter refused to confirm whether it was indeed the Zeppelin ransomware.

"We are very conscious that cyber criminals can monitor media commentary relating to an incident and may change their behaviour based on that commentary. In consideration of this, we will not be providing further comment on the ongoing incident response," he said.

"This includes not making comment on the security providers we are working with or the nature of advice we are receiving."

Get the RNZ app

for ad-free news and current affairs