View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 20, 2022

New Zealand businesses ransomed by LockBit 3.0 after Mercury IT cyberattack

The ransomware gang claimed an attack on the NZ-based MSP earlier this month, and now may have launched a supply chain attack.

By Claudia Glover

A ransomware attack by cybercrime gang LockBit 3.0 on New Zealand-based managed service provider Mercury IT appears to have led to numerous organisations from NZ appearing on the gang’s dark web victim blog. The New Zealand Ministry of Justice and the New Zealand National Nurses Association also seem to have been caught up in the breach, though their data is not yet available for purchase.

New Zealand companies hit in supply chain attack through MSP Mercury IT. (Photo by Stargrass/Shutterstock)

In what has all the hallmarks of a supply chain attack, a host of companies from New Zealand have appeared on LockBit’s blog following Mercury IT cyberattack. Mercury itself is also on the blog, though it is not clear if all the other victims are customers of the MSP.

Mercury IT cyberattack may have had big implications

Among the organisations posted to the blog are health insurer Accuro, architectural firm Catalyst Group, business mentoring programme Business Central, commercial flooring business Polyflor. Data is listed for sale for prices between $99,000 and $999,000.

Mercury IT has also worked with the New Zealand Ministry of Justice and healthcare company Te Whatu Ora, reportedly losing 14,500 coroners’ files and 4000 post-mortem reports, although none of this is for sale on the dark web as of yet. 

Business advocacy group BusinessNZ and the New Zealand National Nurses Association were also impacted, but have yet to see their information posted.

Mercury IT became aware of the ransomware attack on November 30. “We became aware that we were the victim of a cyber-incident after a malicious and unauthorised actor gained access to our server environment,” said Corry Tierny, the company’s IT director. “Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The New Zealand Privacy Commissioner is “planning on opening a compliance investigation into this incident so that it can make full use of its information-gathering powers,” it said. “We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”

LockBit 3.0 continues its crime spree

LockBit 3.0 is the third regeneration of notorious cybercrime gang LockBit, the same hacker group that took down the UK’s NHS 111 service in August, forcing employees to use pen and paper until the attack was resolved. In the past two months the gang struck numerous other global organisations.

In November LockBit reportedly carried out a cyberattack on Canadian infrastructure that halted municipal services and shut down employee email accounts in the city of Westmount in Quebec, grinding many vital government services to a halt. 

Later in November the group hit German tyre and car parts company Continental AG, with data supposedly from the company appearing for sale online for $50m. The severity of the incident led to the FBI becoming involved in the case.

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) has released a joint flash report about the gang’s previous ransomware, LockBit 2.0, warning organisations of the particular indicators of compromise to be aware of. “LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation,” the agencies said.

The make-up of the group is unknown, but a Canadian national was arrested in relation to its activities in November. Mikhail Vasiliev, 33, of Bradford, Ontario, is in custody in Canada and is awaiting extradition to the United States. “This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said deputy attorney general Lisa Monaco at the time.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.