In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.
According to the Stuff journalist Dileepa Fonseka, the Ministry of Health had entered into negotiations with information technology industrial vendors in 2019 to purchase a more advanced cybersecurity system for the country's district health boards. However, these negotiations were abandoned since the Ministry lacked the budget to purchase the proposed system. [1]
The cyber attack on the Waikato District Health Board that began on 19 May 2021 brought down all IT systems and phone lines. Kevin Snee, chief of Waikato DHB, said that he did not know who was responsible for the attack or if it was related to the Health Service Executive cyberattack. [2]
On 25 May 2021, The New Zealand Herald reported that an unidentified group had claimed responsibility for the hack. This group had reportedly accessed confidential patient notes, staff details, and financial information. The group also claimed that they had given the Waikato DHB seven days to contact them following the cyber attack. The group reportedly deleted most of the backup files but offered to help restore the systems if the Waikato DHB responded to their communications. In response, the Waikato DHB chief executive Snee refused to confirm or deny whether the DHB had been in contact with the hackers. Snee also stated that the DHB would not be paying any ransom. [3]
On 27 May, senior Waikato DHB officials confirmed that hackers had seized patient and staff details and that files sent to several media including The New Zealand Herald contained genuine information. These files have been handed to the Police. DHB chief executive Snee confirmed that the body was working with privacy experts and providing affected patients with support. Snee stated that the Waikato DHB's COVID-19 vaccination programme had not been affected by the cyberattack and was ten percent ahead of its rollout target. [4] Emsisoft cybersecurity expert Fabian Wosar speculated that the hacker's ransom demand for the Waikato DHB's hacked data was likely in the millions or even tens of millions of dollars; potentially making it the biggest Zepellin data breached if confirmed. [5]
Some surgeries were postponed as a result of the attack, but most went ahead as planned. [2] [6]
Two Air New Zealand flights were cancelled after the airline was unable to get a negative COVID-19 certificate for a crew member who was to work on both flights. [7]
On 26 May, an unidentified doctor claimed that seriously ill cancer patients could be flown to Australia for treatment due to the disruption and potential data breach caused by the Waikato DHB cyber attack. The Waikato DHB has also arranged for the most urgent patients to be assigned to private providers in Tauranga and Wellington. In addition, the Auckland District Health Board has agreed to provide treatment to the Waikato DHB's emergency cancer patients. [8]
By 2 June, the Waikato District Health Board had confirmed that it had made progress in restoring half of its servers over the past four days. Its system consisted of several hundred servers, many major network sites and thousands of work stations. [9]
By 7 June, radiation therapy had resumed at Waikato DHB hospitals with 21 patients receiving treatment the previous day. [10] [11] In addition, restoration work was being done to salvage data from the Waikato DHB's inpatient management system and diagnostic services from its radiology and lab departments. [11]
By 15 June, Kevin Snee confirmed that the Waikato DHB had managed to restore clinical services, doctors' access to patients' full medical information, laboratory diagnostic and radiology services. However, staff were still relying on manual processes in several areas, which meant that all activities require additional time. The DHB also faced a backlog of patients who have had their outpatient appointments and other services cancelled because of the cyber attack. Due to the disruption, some patients had to seek treatment at other district health boards. [12] [13]
On 29 June, Radio New Zealand and Stuff reported that a list of documents containing sensitive information including correspondence, medical records, and financial data had been released on the dark web. In response, the Waikato DHB confirmed that it had contacted affected patients and was working with cybersecurity experts to identify and manage any potential disclosures. [14] [15]
Kevin Snee described the attack as the "biggest in New Zealand history". [7]
Health Minister Andrew Little said that Waikato DHB was getting all possible assistance including from the National Cyber Security Centre within Government Communications Security Bureau. [6]
On 25 May, Health Minister Little confirmed that the New Zealand Government would not pay the ransom to the hackers in order to discourage further offending. Little confirmed that the hacking group had contacted several media companies including Stuff and NZME. [16] [3]
On 26 May, the Privacy Commissioner warned all district health boards in New Zealand to fix their IT vulnerabilities as a result of the Waikato DHB cyberattack. [17]
On 29 June, Health Minister Little promised a full independent inquiry into the Waikato DHB cyber attack. [15] The following day, the Privacy Commissioner confirmed that the Waikato DHB would not be fined for patient data being hacked but that the health body may faced liability if harm was caused by it. [18]
Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.
The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.
Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.
The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.
The Waikato District Health Board was a district health board that provided healthcare to the Waikato region of New Zealand.
REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.
Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.
Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).
On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.
DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.
On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.
Conti is a ransomware hacker group that has been observed since 2020, believed to be distributed by a Russia-based group. It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.
Beginning on the night (UTC-6:00) of April 17, 2022, a ransomware attack began against nearly 30 institutions of the government of Costa Rica, including its Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute, state internet service provider RACSA, the Costa Rican Social Security Fund, the Ministry of Labor and Social Security, the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.
Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.
Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.