A ransomware attack by cybercrime gang LockBit 3.0 on New Zealand-based managed service provider Mercury IT appears to have led to numerous organisations from NZ appearing on the gang’s dark web victim blog. The New Zealand Ministry of Justice and the New Zealand National Nurses Association also seem to have been caught up in the breach, though their data is not yet available for purchase.
In what has all the hallmarks of a supply chain attack, a host of companies from New Zealand have appeared on LockBit’s blog following Mercury IT cyberattack. Mercury itself is also on the blog, though it is not clear if all the other victims are customers of the MSP.
Mercury IT cyberattack may have had big implications
Among the organisations posted to the blog are health insurer Accuro, architectural firm Catalyst Group, business mentoring programme Business Central, commercial flooring business Polyflor. Data is listed for sale for prices between $99,000 and $999,000.
Mercury IT has also worked with the New Zealand Ministry of Justice and healthcare company Te Whatu Ora, reportedly losing 14,500 coroners’ files and 4000 post-mortem reports, although none of this is for sale on the dark web as of yet.
Business advocacy group BusinessNZ and the New Zealand National Nurses Association were also impacted, but have yet to see their information posted.
Mercury IT became aware of the ransomware attack on November 30. “We became aware that we were the victim of a cyber-incident after a malicious and unauthorised actor gained access to our server environment,” said Corry Tierny, the company’s IT director. “Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment.”
The New Zealand Privacy Commissioner is “planning on opening a compliance investigation into this incident so that it can make full use of its information-gathering powers,” it said. “We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”
LockBit 3.0 continues its crime spree
LockBit 3.0 is the third regeneration of notorious cybercrime gang LockBit, the same hacker group that took down the UK’s NHS 111 service in August, forcing employees to use pen and paper until the attack was resolved. In the past two months the gang struck numerous other global organisations.
In November LockBit reportedly carried out a cyberattack on Canadian infrastructure that halted municipal services and shut down employee email accounts in the city of Westmount in Quebec, grinding many vital government services to a halt.
Later in November the group hit German tyre and car parts company Continental AG, with data supposedly from the company appearing for sale online for $50m. The severity of the incident led to the FBI becoming involved in the case.
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) has released a joint flash report about the gang’s previous ransomware, LockBit 2.0, warning organisations of the particular indicators of compromise to be aware of. “LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation,” the agencies said.
The make-up of the group is unknown, but a Canadian national was arrested in relation to its activities in November. Mikhail Vasiliev, 33, of Bradford, Ontario, is in custody in Canada and is awaiting extradition to the United States. “This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said deputy attorney general Lisa Monaco at the time.