Monday, June 17, 2024
HomeCanadaGone Phishing: Canada's cybercrime epidemic is pricey.

Gone Phishing: Canada’s cybercrime epidemic is pricey.

At first glance, a small city on the east coast of Canada — population of about 70,000 — seems an unlikely target for a cyberattack. But data collected in the Canadian Centre for Cyber Security’s 2021 Cyber Threat Bulletin shows otherwise, tracking a 151% year-over-year rise in ransomware attacks worldwide by mid-2021, with a total of 235 in Canada between January and November — and that’s only the ones that had been reported. PHOTO BY GETTY IMAGES /iStock

This twice-weekly series goes in-depth on cybersecurity, one of Canada’s growing economic threats. Our journalists explain the impact of ransomware on municipalities, health authorities, small businesses and the corporate sector.

The story starts out like a tired cliché: It was a Friday the 13th. Friday, Nov. 13, 2020, to be exact. Dark night, temperature hovering around zero, a bit of a wind.

At approximately 9 p.m., IT staff working for the City of Saint John, an industrial port city in southern New Brunswick, noticed abnormalities on the municipality’s online systems.

By 10 p.m., the city’s emergency services dispatch system went down, meaning 911 calls had to be forwarded to the provincial capital in Fredericton.

Quietly, unnoticed by most residents at the time, the city’s website went dark.

A cyberattack on both the city’s and Saint John Police Force’s online domains was underway. Russian hackers had taken the system hostage, demanding a ransom in the cryptocurrency bitcoin worth $17 million.

At first glance, a small city on the east coast of Canada — population of about 70,000 — seems an unlikely target for a cyberattack. But data collected in the Canadian Centre for Cyber Security’s 2021 Cyber Threat Bulletin shows otherwise, tracking a 151% year-over-year rise in ransomware attacks worldwide by mid-2021, with a total of 235 in Canada between January and November — and that’s only the ones that had been reported.

What happened in Saint John has become fairly common.

Who is being targeted seems to be indiscriminate, with municipalities, school boards, universities, hospitals and airlines all among the victims of cyber incidents.

And while larger bodies like Newfoundland and Labrador’s health authority in 2021 have not been immune, smaller organizations have also been targeted.

“They’re no longer just going after the big guys. They’re going after everybody,” said Spencer Callaghan, senior manager of brand and communications at the Canadian Internet Registration Authority (CIRA).

“The main thing that we see is just how ubiquitous these types of attacks are becoming, and how there’s really no size or type of organization that is exempt from these risks.”

Ed Dubrovsky, managing partner with cyberattack recovery firm CYPFER, calls it a “digital pandemic,” a space where no one has complete control.

When attackers come knocking

In the City of Saint John’s case, the cyberattack came from RYUK, described in city documents obtained through a right to information request, as “a Russian Mafia group.” The same malware has been responsible for attacks on other municipalities as well as “public health and safety organizations” around the world, according to the Canadian Centre for Cyber Security.

In October 2019, the centre thought the threat posed by RYUK was great enough to warrant issuing an alert about it.

By Dubrovsky’s count, there are about 60 to 70 ransomware groups in operation currently, each with a slightly different encryption software.

RYUK threat actors gained access to Saint John’s online systems using a phishing email with an Excel file.

This information, including the identity of the perpetrators, has never been formally made public by the city. In fact, the City of Saint John declined a request to participate in this story.

Instead, it’s through documents obtained from a right-to-information request that help piece together how and when the attack came about, and the steps the city took in the days following.

The system was infiltrated on Oct. 28, 2020, with the attack starting on Nov. 3 and 4. By Nov. 13, the attack “began in earnest,” documents show, resulting in the disconnection of the network and encrypting most Windows-based servers and devices.

In the days and months that followed, the attack would cause ripple effects through the community, delaying court cases, causing building permits to be issued manually, and affecting online payments for municipal services like water bills and parking tickets.

A lot of what occurred in Saint John is not unique. In 2021, ransomware attacks — a type of cyberattack in which hackers take over a victim’s online system and demand a ransom in order for it to be restored — made up 55% of cyberattacks, according to the 2022 Cyber Trends Study published annually by Blake, Cassels & Graydon LLP (Blakes).

Phishing — a method, often through email, used by threat actors to mislead victims into handing over personal information that can give them access to online systems — was the most common source of infiltration, making up 38% of attacks.

In other ways, the City of Saint John bucked trends. The same Blakes study showed ransom was paid in 56% of incidents in 2021, while in 69% of cases involved breaches of “sensitive information.”

Saint John did not pay the ransom, choosing instead to rebuild its online network from the ground up, and has maintained there was no indication of a significant breach of information from the city’s network.

Why it matters

While it might seem as if it’s a matter of when, not if, an organization will be targeted by cyber criminals, there is good reason to ensure you’re protected.

The average ransom payment in 2021 was $200,000, while recovery costs averaged at $2.3 million, according to the Cyber Threat Bulletin, and that’s not even taking into account impacts to a company’s reputation, the impacts on clients when an online system is out of service or the potential for personal information leaks.

Such personal information, depending on the victim of the attack, could include personal health-care information, contact information such as addresses or even credit card numbers.

There is also every indication that ransom demands are trending upwards, the Blakes study showed.

“(Threat actors) become more sophisticated in determining how much a company will potentially be willing to pay in order to gather data,” said Catherine Beagan Flood, partner at Blakes.

Blakes serves as “breach coaches” with clients, offering services such as forensic investigation, communications and negotiations, Beagan Flood said. On the other end, the Blakes team works with companies to prevent future breaches and helps with litigation involving cybersecurity incidents if need be.

While in the past, ransomware attacks were more focused on encrypting information, increasingly threat actors are stealing personal information, giving the victim more reason to pay the ransom, Beagan Flood said.

Dubrovsky’s Toronto-based company CYPFER goes “in the trenches” with clients, negotiating and helping with cyberattack recovery on their behalf. Since starting in 2019, Dubrovsky says the company has handled about 1,000 cases in the United States and Canada.

While there has always been cybercrime since the dawn of the world wide web, in the last eight years or so with the introduction of cryptocurrency — a favoured payment method of threat actors due to its anonymity — more and more potential threat actors have capitalized on the opportunity it presents, Dubrovsky said.

Ransom demands started low, closer to the $1,000 mark, Dubrovsky said. Now it’s more common to see ransoms around $500,000, although he’s seen demands upwards of $40 million to $60 million.

Where we’re vulnerable

Inadvertently allowing infiltration by cyber criminals is as easy as opening an email that might, at first glance, appear legitimate. Before you know it, you’re keying in login information at a prompt, giving the cyber criminals an in.

From there, threat actors are able to take information and encrypt it, a process whereby information is secured and only the people with a digital key can access it — called decryption. But that digital key comes with a price.

“I think it’s absolutely fair to say that human beings are part of the sort of entry point through phishing campaigns, etc.,” said Sunny Handa, partner at Blakes. “But it’s not only about humans, it’s also about vulnerabilities that are found within software. Software is extremely complex, there is no perfect software.”

After phishing, Blakes’s trends report found “software vulnerability” and “remote desktop access” as the other culprits leading to cyberattacks in 2021.

Working from home also presents more opportunities for infiltration, Dubrovsky said.

“It’s also kind of the law of numbers with more people are working from home. And remember, home networks are just weak,” he added. “Nobody’s investing a million dollars in their home router.”

Employees who work from home may not have their guard up against phishing attacks as much in their home environment as they would in an office, Callaghan said, increasing their vulnerability. Callaghan recommends anyone who works from home to set up a virtual private network (VPN), a protected network connection that keeps your online identity hidden.

“But even if you are using a VPN, there’s just no way to harden a home environment network as much as you can harden the corporate network,” he added.

On the other hand, there’s also no way to guarantee you’ll be informed if an online network you’re a customer of has been the victim of a cyberattack.

The Blakes trends study found just over 80 per cent of incidents were not reported to either law enforcement or a privacy commissioner. Meanwhile, in 63% of 2021 cyberattacks, “affected individuals” were not informed by the victim organization.

“If you report to the Privacy Commissioner, you’re potentially making the fact that you got attacked public. You’re also getting interest from the government, who may want to know more, and may start to ask you questions, which then takes time to answer,” Handa said.

“It’s the same reason people don’t voluntarily report a whole bunch of things to law enforcement.”

The test for disclosing to affected individuals comes down to whether there is a “real risk of significant harm,” Beagan Flood added. A name and email address may not be enough of a breach to warrant notification.

What we’re up against

On top of dealing with the 60 to 70 known ransomware groups, the relative ease with which individuals can get into the cybercrime industry is also a growing concern, Dubrovsky said.

Now there’s “ransomware as a service” to contend with, something both the Blakes study and Cyber Threat Bulletin both credit for an uptick in worsening cyber incidents.

Working in a manner similar to a franchise system, individuals looking to start out in the cybercrime arena can pay to gain access to the software necessary to attack and infiltrate systems and encrypt data, Dubrovsky said.

“This creates an ecosystem of cybercrime where there are no major barriers to enter,” Dubrovsky added — as long as you have the $500 or so to buy in, then the payoff can be as much as $2.5 million per year.

“It just takes, you know, a laptop and an internet connection, and you’re in business,” Handa said.

As for whether the Canadian economy is prepared for the increasing threat, Dubrovsky said there is no way to be certain you’re safe.

“I think overall, cybersecurity programs are getting better and awareness is improving,” he said. “But the question whether (organizations are) prepared, the answer is always going to be ‘not really,’ because there is no 100%.”

The cost of recovery

For Saint John, full cyberattack recovery wasn’t realized until later on in 2022, the city confirmed in January, about two years after IT staff first identified a cyberattack on the municipality’s online systems.

While the city launched a new website in February 2021 and the full network was up and operating around a month later, behind-the-scenes work like application restorations still needed to be completed, and was ongoing throughout last year.

Restoration time varies wildly depending on the company’s resources, how many systems have been affected and whether they have backups, Dubrovsky said. Choosing to pay the ransom would also expedite the process.

“In a very small company with backups, you will be back up and running within a day,” he said.

“In a large company, you’re probably looking at about up to eight, nine months.”

While the City of Saint John chose not to pay the $17 million in ransom, opting instead to rebuild the network from the ground up, it still came with a price. However, the $2.9-million rebuilding price tag should be largely mitigated by the fact the city’s cyber insurance is expected to cover about $2.5 million of it.

Time, in the end, proved to be the greater price.

Moving into 2023, Handa said more of the same can be expected: More breaches, “more and more companies waking up and saying, ‘Oh my god, my business partner or supplier got attacked.’ I guess it’s just a matter of time or in a number of cases that you will get attacked as a company.”

“The fact is, most folks are not putting the resources and the thought into cyber preparedness at this point,” he continued.

“No one gets away for free in terms of cyber. We’ve all saved a bunch of money moving into the digital world: less paper, less real estate, all of that. But you’ve got to put some of that money back now into digital security.”

Source: torontosun



Most Popular