Ransomware: New Zealand's Most Costly Cyber Threat
Ransomware — malicious software that encrypts your business files and demands payment for the decryption key — has become the dominant cyber threat facing NZ businesses in 2026. CERT NZ reports show that ransomware incidents have increased year on year, with attackers deploying increasingly sophisticated techniques and targeting businesses of all sizes, not just large enterprises.
The average total cost of a ransomware incident for an NZ business — including the ransom payment (if paid), system restoration, business interruption losses, data recovery, staff overtime and regulatory notification — ranges from $50,000 for a small business to several hundred thousand dollars for a medium-sized organisation. Without cyber insurance, most businesses cannot absorb these costs.
How Ransomware Attacks Work: The Six Stages
Understanding how ransomware attacks unfold helps businesses prepare appropriate defences and incident response procedures. Stage one is initial access — typically through a phishing email, compromised credentials, or exploitation of an unpatched vulnerability in internet-facing software. Stage two is persistence — once inside, attackers establish multiple access methods to ensure they can maintain access even if the initial entry point is closed. Stage three is lateral movement — attackers move through the network, mapping out systems and identifying valuable data. Stage four is data exfiltration — in many modern ransomware attacks, data is stolen before encryption, creating a "double extortion" situation. Stage five is encryption — often occurring outside business hours to maximise the impact before detection. Stage six is ransom demand — typically delivered through a ransom note that appears on encrypted systems, with a timer and payment instructions.
Double Extortion: The New Normal
Modern ransomware attacks increasingly use "double extortion" tactics: attackers steal your data before encrypting it, then threaten to publish or sell the data publicly if the ransom is not paid. This means that even businesses with excellent backups that can restore their systems quickly still face the threat of data exposure — creating Privacy Act notification obligations and potential liability to affected parties regardless of whether the encryption is resolved through backup restoration.
Should You Pay the Ransomware Demand?
The question of whether to pay a ransom is one of the most challenging aspects of a ransomware response. The decision involves legal, ethical and practical considerations. Your cyber insurer's incident response team and legal advisors will guide you through this decision. Key considerations include: whether the attacker is subject to international sanctions (paying sanctioned entities may create legal liability); whether paying is likely to result in a working decryption key; the cost and time required for alternative recovery; and whether data has been exfiltrated, making payment irrelevant to the privacy obligations triggered.
Cyber insurance policies that cover ransomware extortion will generally support the decision-making process through specialist negotiators who can engage with attackers, assess decryption key reliability and negotiate payment amounts if a decision to pay is made.
Recovery: What Cyber Insurance Covers
A cyber insurance policy's response to a ransomware attack covers several components. Incident response costs — specialist forensic investigators, ransom negotiators and crisis management. Ransom payment — where insurer consent is obtained and legal checks are passed. System restoration — technical specialists to restore or rebuild affected systems. Data recovery — recovering data from backups or negotiated decryption. Business interruption — lost revenue during the recovery period. And where data was exfiltrated, all the Privacy Act notification and response costs described in our notification guide.
The Role of Backups in Ransomware Recovery
Good offsite backups — regularly tested, with multiple restore points, stored separately from your main network — are the most effective technical control against ransomware. They allow system restoration without ransom payment, significantly reducing recovery time and cost. However, backups alone are not sufficient in a double extortion scenario (where data is stolen before encryption) and do not address the business interruption period, legal costs, or Privacy Act notification costs. Cyber insurance and good backups work together — they are complementary, not alternatives.
About the Author
CyberCover Team is part of the CyberCover team — dedicated to making cyber insurance transparent and accessible for NZ businesses of all sizes.