The New Zealand Government strongly discourages the payment of ransoms to cybercriminals, and urges all victims to report any cyber ransom incidents to the relevant agencies, regardless of whether a ransom is paid.
Cabinet has agreed that government agencies do not pay cyber ransoms.
What you should do if targeted
If you or your organisation have been targeted by a cybercriminal and are being asked to pay a ransom, you should report this to the appropriate agency:
- For the general public including individuals and businesses:
- Ransomware attacks are a criminal act and should be reported to NZ Police using their online reporting tool at https://www.police.govt.nz/use-105#online-report-options, or by calling 105.
- CERT NZ is able to provide advice to victims who have been attacked and assist them to work out what they do next. Reporting incidents to CERT NZ also helps New Zealand keep track of cyber security trends. You can report cyber incidents to CERT NZ at https://www.cert.govt.nz/individuals/report-an-issue/.
- For Nationally Significant Organisations (NSOs) and public sector agencies, you should report any cyber incidents to the National Cyber Security Centre.
- It is the government’s expectation that public sector agencies will not pay cyber ransoms.
Government agencies will continue to work together to triage and respond to any cyber incident to ensure victims are supported by the right agency. Your report could help prevent more people from being targeted by cybercriminals.
If you are considering paying a ransom, you should seek independent legal and other professional advice to understand the risks. The New Zealand Government recommends not paying a ransom. Payment does not guarantee that you will get your data back, may breach sanctions, and creates harm to others by providing funding for criminal activities.
The best way to prevent being the victim of cybercriminals is to take preventative measures to secure your data and computer systems.
- Advice on how individuals and businesses can better protect themselves against cybercrime for can be found on the CERT NZ website (www.cert.govt.nz).
- NSOs and public sector agencies can find advice on the NCSC website at https://www.ncsc.govt.nz/newsroom/ransomware-advice/.
Implications of paying a ransom
Paying a ransom does not guarantee the end of an incident, or the removal of malicious software. It does not guarantee that you will get your data back.
Paying a ransom does create a financial incentive for criminals to continue or expand their activities, including potentially targeting you again.
In paying a ransom you may breach sanctions regimes. Any payments to a group operating from a sanctioned state may violate the Russia Sanctions Act 2022 or the United Nations Act 1946, which can carry criminal penalties of:
- Up to both seven years in prison and/or a fine of $100,000 for individuals; and
- A fine of up to $1 million for organisations.
Under the Privacy Act 2020, if a cyber ransom incident affects personal data held by your organisation or business, and amounts to a privacy breach that has caused, or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.