News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Insights
  3. Cyber Threat Reports
  4. 2023/2024 Cyber Threat Report
  5. The impact of ransomware

Te pānga o ngā pūmanawa tono utu The impact of ransomware

This year, Aotearoa New Zealand’s reported ransomware incidents declined significantly, despite global trends of ransomware being a pervasive and damaging cyber security threat. Even with a smaller number of incidents, it was still disruptive to those impacted, with ransomware actors incorporating a range of techniques intended to extort ransoms from victims including individuals, organisations, and government agencies.

A year in ransomware incidents

Of the 7122 total incidents recorded during the 2023/2024 financial year, the NCSC responded to 46 ransomware incidents, approximately half the number of incidents compared to 2022/2023. Overall, the total number of ransomware incidents in 2023/2024 dropped considerably from previous years.

While the number of ransomware incidents has declined, the severity of impact from ransomware this year was still proportionally more than other cyber security incidents. In 2023/2024, 5 out of the 8 C3 incidents of potential national
significance involved ransomware, or extortion/exfiltration which is often associated with ransomware events.

37 of the 46 ransomware incidents (80%) were not likely to cause nationally significant harm as they impacted smaller organisations or individuals. Ransomware actors likely select smaller enterprises and individuals alongside ‘big game’ targets, since these victims likely have less-mature cyber security capabilities. Emerging players enabled by ransomware-as-a-service are also capitalising on smaller organisations’ vulnerabilities to test their capabilities. In many ransomware incidents where impact was less severe, this was mainly due to effective cyber security measures, including robust backups, automated cyber threat detection, and timely incident response. This is reflected in the following case studies about four ransomware incidents experienced by Aotearoa New Zealand organisations this year:

  • In September 2023, the NCSC was made aware of a ransomware event affecting a New Zealand transport organisation’s card service for public transport services. The ransomware affected the system responsible for reconciling account balances with credit card data that facilitates users’ ability to top up their accounts. The NCSC provided the transport organisation with support and guidance to assist with the containment of this incident.
  • In November 2023, the NCSC was made aware of malicious cyber activity that indicated ransomware on the network of a New Zealand organisation in the media and telecommunications sector. Subsequent investigation supported by the NCSC indicated the intrusion occurred via a vulnerable remote services tool with weak administration credentials. Due to robust backups (which were not affected) the organisation had the ability to restore the impacted file systems and data.
  • In March 2024, the NCSC was notified of possible ransomware activity on the network of an organisation in the manufacturing sector. Access was likely via the exploitation of a known vulnerability in a remote service tool. After gaining access to the network, the actor was observed making attempts to copy sensitive credential databases. Early identification of the activity by a cyber threat detection tool on the network allowed the organisation to remediate the server before the ransomware was deployed.
The NCSC recommends never paying cyber ransoms

Governments worldwide are increasingly concerned about appropriate protection of sensitive data, including personal information, and are discouraging the payment of a ransom.

In 2021, the New Zealand Government agreed that government agencies should not pay cyber ransoms.

Paying ransoms encourages illegal activity and may fund other illicit activities. Payment of a ransom could also be in violation of the Russia Sanctions Act 2022 or the United Nations Act 1946. Payment of ransom does not guarantee that an organisation gets their data or systems back, and can result in the same organisation being targeted again, due to their willingness to pay.

The New Zealand Government encourages all victims to report any cyber ransom incidents to the relevant agencies, regardless of whether a ransom is paid. The Privacy Act 2020 requires reporting of privacy breaches that have caused serious harm or are likely to do so.

Top