Cyber Incident Victim: Phenix Services
Date:
Jul 2021
Location:
New Zealand
Summary
A ransomware group identified as Lockbit 2.0 targeted three small-to-mid-sized New Zealand businesses, compromising data and threatening public release of stolen information. Among the affected entities was an Invercargill-based property maintenance firm, with attackers initially including a Christchurch painting supplies company in their extortion attempts before withdrawing the threat against the latter. The incidents reflect broader concerns about cybercriminals shifting focus to regional organizations following geopolitical pressures on ransomware operations elsewhere. Data theft and coercive publication threats constituted the primary impacts against the victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July and August 2021, the ransomware group Lockbit 2.0 claimed responsibility for cyberattacks against three small-to-midsized New Zealand businesses. The group publicly threatened to release stolen data from Invercargill-based property maintenance firm Phoenix Services in July, marking the first known incident. A second attack targeted Christchurch painting supplies company Haydn in August, though Lockbit 2.0 later withdrew its data release threat against this victim. The attackers listed both companies on their online platforms as part of extortion efforts, a common ransomware tactic to pressure organizations into paying ransoms. Security experts observed these incidents occurred amid geopolitical shifts following U.S. President Biden's increased pressure on Russia to curb ransomware operations.
The attacks coincided with analyst observations that ransomware groups might be shifting focus toward perceived "softer targets" in countries like New Zealand and Australia following U.S. counter-ransomware actions. While Lockbit 2.0 claimed three New Zealand victims, only Phoenix Services and Haydn were publicly identified, with no technical details disclosed about the third organization. The public extortion attempts exposed both companies to reputational risks and potential data breaches, though Haydn avoided imminent data publication due to the threat withdrawal. No information was provided regarding containment measures, financial impacts, or whether any ransom payments occurred. Cybersecurity professionals cited these incidents as early indicators of possible targeting pattern changes within the ransomware ecosystem following international law enforcement pressures.