Judgement 2

Why it matters – the global view

Globally, the shift to ransomware-as-a-service (RaaS) has commercialised cybercrime, allowing criminals to ‘rent’ effective attack tools, and for criminal groups to specialise in different elements of the attack. Meanwhile, new technologies such as AI are accelerating their work and effectiveness.

Cybercriminals are responsible for most of the incidents New Zealanders report to the NCSC. The end goal for cybercriminals is usually financial gain; however, they may carry out activities that are indirectly related, for example by stealing passwords and personal information, in order to stage future attacks.

Ransomware continues to be the most damaging type of criminal attack, causing disruption as well as potential loss of money, data and sensitive information.

Ransomware activities can result not only in data loss and exposure but also disrupted operations, reputational damage, and financial cost - and in extreme cases, threats to life. It is in the interests of criminals to cause as much trouble as possible to increase their chance that an organisation will pay the ransom. Unfortunately, many of those who pay do not get their data back or their systems unlocked, and sometimes they are extorted further with the threat of releasing sensitive data.

Examples

In April 2024, MediSecure - a holder of sensitive Australian health data - discovered a database had been encrypted by ransomware actors. Later investigations discovered that over 12 million transactional records across a four-year window had been breached.
In July 2025, Qantas suffered a customer data breach numbering millions of records, including from New Zealand. Criminals later released data on the dark web.
Financially motivated cyber attacks in the UK on Marks & Spencer in April 2025 and Jaguar Land Rover in September 2025 crippled operations and are estimated to have cost the firms hundreds of millions of dollars.
In September 2025, airports across Europe experienced disruption to check-in technology following a ransomware attack.

Tactics and techniques

Ransomware refers to a multi-stage operation by an actor, typically involving the installation of malware to encrypt files, exfiltrate files, and demand payment. Actors seek targets where disruption will have widespread and visible impact, to increase their chances of being paid.

High-value targets include essential services like transportation, where disruption is costly and highly impactful, and organisations with sensitive personal information such as healthcare and government agencies.

For cybercriminals, any opportunity is a good one, however many prepare by conducting research or social engineering to identify valuable targets and increase their chances of success.

Ransomware perpetrators are financially motivated. Of the moderate to significant ransomware incidents reported to the NCSC in 2024/25, all were linked to suspected financially motivated non-state actors.

Cybercriminals use a range of tools to speed up and support their work. For example,
vulnerability scanning gives malicious actors a list of potential targets they can attack en masse or target specifically.

With the advent of RaaS, ransomware attacks now require reduced technical expertise to deploy, lowering barriers to entry. The proliferation of RaaS has led to specialisation and corporate-level execution; defenders now find themselves dealing with experienced and professional negotiators.

More than half of the significant incidents the NCSC analysed in 2024/25 were likely to involve use of RaaS. RaaS continues to evolve, developing new features to assist cyber actors with avoiding detection, victim engagement and money laundering. The use of AI has only added to the threat.

AI and cyber security risks – amplification through automation

Cybercriminals have been early adopters of AI. As a result, attackers no longer need advanced technical skills to launch convincing and scalable attacks. Generative models can create personalised phishing emails in flawless English or te reo Māori, assemble convincing deepfakes for extortion or romance scams, and even write or adapt malicious code. For organisations with thousands of employees and complex supply chains, this means there’s a much higher likelihood that at least one employee will fall victim to a convincing scam.

Automation is another major factor. AI can rapidly scan networks for vulnerabilities, test stolen credentials, or exploit misconfigured cloud services. Large New Zealand companies - such as those in finance, energy, health, and telecommunications - may hold valuable data and provide critical services, making them attractive targets. The scale and speed of AI-driven attacks could overwhelm traditional security teams, especially if basic cyber hygiene is lacking. Still, automation benefits both sides: rapid detection and response must outpace automated attacks to remain effective.

AI doesn’t reinvent cybercrime, but it supercharges methods and scale. For New Zealand - where a few successful incidents can cause outsized disruption – the implications are that organisations need to close basic security gaps while also carefully leveraging AI for defence.

The New Zealand landscape

Cybercrime continues to have a significant impact on New Zealanders. Of the 331 incidents of potential national significance the NCSC dealt with in the past year, 137 were linked to criminal or financially motivated cyber actors - more than double the year before (65).

The direct financial loss from cyber security incidents reported to the NCSC in 2024/2025 totalled $26.9M, up from $21.6 million in 2023/2024.

These figures are indicative only: the full impact is likely to be much more. A consumer survey commissioned by the NCSC indicated that New Zealanders could be losing as much as $1.6 billion each year to cybercriminals and scammers. In addition, organisations frequently incur operational and reputational losses, and individuals are affected by the associated stress.

Our research also tells us that 53% of New Zealand’s small-to-medium enterprises (SMEs) experienced a cyber threat between January and June 2025, a significant increase from the 36% reported in 2024. The impact of these cyber threats on those businesses also increased.

Research indicates that while SMEs understand that cyber security is important, complacency often prevents them from implementing some of the most important security practices.

Ransomware continues to have devastating impacts on New Zealand organisations. In 2024/25, 88 reports of ransomware were recorded by the NCSC, compared to 63 the year before.

These included the following:

An agriculture producer's IT infrastructure was infected with ransomware, halting production.
An IT provider’s virtual machines were encrypted, causing service disruption, and their backups were deleted, preventing rebuilding.
A financial service provider was infected with ransomware, compromising documents containing customers’ personal information.

Most of the more impactful ransomware incidents the NCSC dealt with in the past year resulted in either suspected or confirmed data exfiltration. The exfiltration of data and the threat of exposing it publicly can provide criminals with additional leverage.

The New Zealand Government recommends not paying a ransom. Payment does not guarantee that you will get your data back, may breach sanctions, and creates harm to others by providing funding for criminal activities.

Case study 2: Ransomware in the health sector

In May 2025, the NCSC received an incident notification from an organisation in the health sector that had been impacted by ransomware. Many of the organisation’s servers and endpoint devices had been encrypted, and a large amount of data was stolen.

The organisation’s IT provider helped it to take initial remediation steps, which included changing credentials, updating accounts, and deploying extra security measures. The NCSC assisted the organisation by providing technical assistance to help remediate the problem and understand how the ransomware was able to enter its systems.

The NCSC determined that a lack of MFA on an important service had enabled a threat actor to gain access. Fortunately, the organisation had completed system backups just one hour before the ransomware activity occurred. By restoring from these recent backups, it was able to successfully recover its systems and quickly return to normal operations.

This event shows how good security practices – in this case frequent backups – can help mitigate or prevent ransomware incidents. The organisation may have avoided the incident entirely – and prevented data from being stolen – if it had also implemented MFA across its critical systems.

Implications for organisations

Many cyber criminals are skilled, motivated, and well-organised, with a range of effective tools at their disposal. Organisations need to be aware of the way that criminals continue to innovate, whether it’s deepfake phishing videos or calls, or deploying information-stealing malware, and how to detect and prevent these.

Through ransomware attacks, cybercriminals can cause significant disruption to business operations, and their extortion activities can damage your reputation with clients and stakeholders. Organisations of all sizes can be targeted. Paying does not guarantee recovery, or that your sensitive data won’t be released.

Readiness considerations

Three questions leaders should be asking:

If ransomware impacted our critical systems tomorrow, could we continue operating without paying?
Do we understand the personal information we hold and how we store and protect it?
Have we tested crisis management, legal, and communications processes for a ransomware event?

Resources

Key cyber security terms and their definitions can be found in our glossary:

Glossary | Rarangi kupu

Read Judgement 3

Hacktivists are targeting New Zealand organisations as global conflicts escalate