Not on my dime

In what appears to be a perfect storm for business owners, the pandemic has turned out to be a feeding ground for cyber criminals who are using ransomware to attack organizations at a crippling pace.

And with most businesses adopting more long-term remote or hybrid work arrangements, experts are concerned the threat of this digital warfare will only proliferate unless there is increased vigilance around cyber security best practices.

“Ransomware has always fairly prevalent, but in the last couple of years we have all seen a significant increase in cyber activity,” says Naheed Shivji, president of Rafiki Technologies, a Calgary-based IT support and computer services company that works with small and medium-sized business in Alberta and Ontario.

“And this is largely because of the rise in remote working. Something as simple as an employee connecting to unsecured home networks can expose a company to a cyberattack.

“Very simply, remote workers are now a major target for cyber criminals who see them as vulnerable.”

Ransomware is a form of a malware in which the attacker accesses an organization’s most important informational or vital systems and encrypts it until a ransom is paid – typically in some form of crypto currency.

Industry estimates note a 151 per cent increase globally in such attacks during the first half of 2021 from the year prior. One of the most notably was the Colonial Pipeline attack in the U.S. this past May when a ransomware attack caused a shutdown of the largest fuel pipeline in the country, leading to price spikes and fuel shortages for millions of Americans.

Yet these attacks are also happening close to home. The Town of Didsbury was among those targeted by cyber criminals in the past year, as well as businesses such as Calgary-based Professional Excavators and Construction, which reportedly incurred costs in excess of $100,000, and Ronmor Holdings, which controls Ronmor Developers.

“The size or location of the company does not matter,” says Shivji. “We’ve seen companies with one employee working in their basement here in Calgary to multinational companies be victims to these attacks.”

One of the more high-profile local cases came in 2016 when the University of Calgary paid $20,000 after a cyberattack on its system. The FBI would later charge two men in Iran as part of the “SamSam”” ransomware, which hacked networks in Atlanta, San Diego and Newark, N.J., as well as major health-care providers and the University of Calgary.

Const. Leonard VanWoudenberg of the Calgary Police Services’ Cybercrime Teams says these attacks are not only prevalent in Calgary but are often under-reported. It’s estimated that only five to 10 per cent of all cybercrimes and fraud are reported to police.

“We often find out about ransomware attacks after they’ve happened,” he says. “I credit that to two things: First, companies don’t think we can do anything about it. Second, they don’t want any more publicity around it.”

Terry Rowsell, president of Calgary-based IT service provider Frontier Solutions, has personal experience with ransomware as many of his clients have been threatened with such attacks – particularly in the last four years.

“Fortunately, we’ve never paid a ransom. We’ve always been able to go to our off-site encrypted backups,” he says. “But ransomware has evolved where the primary goal is no longer about encrypting data. It’s about exfiltrating data, meaning stealing the data with the threat of publicly sharing it if a ransom is not paid.”

This, in turn, has led to increased concerns around other costs associated with ransomware, such as reputational damage or loss of competitive advantage.

“The risk in reputation is damage is so high right now, especially with many of our clients who are more the legal sector,” says Rowsell.

VanWoudenberg adds to this, noting a new form of attack in the last year and a half where hackers will post on dark websites about victims who are not willing to pay the ransom.

The Canadian Centre for Cyber Security reported 235 “known” ransomware incidents against Canadian victims in 2021 through to mid-November, with more than half of these victims being critical infrastructure providers.

“The impact to either Canadians, small or medium enterprises or critical infrastructure has been immense,” says Rajiv Gupta, associate head of the cyber centre, noting the estimated average cost of a data breach, a compromise that includes but is not limited to ransomware, is $6.35 million. That can include factors such as downtime, recovery of information and infrastructure rebuilding.

“There’s a whole recovery initiative that has to happen,” says Gupta. “Once there’s malware on your systems and your organization has been compromised, there’s a clean-up and remediation effort that is significant.

“And paying the ransom is not a ‘get out of jail’ card. There’s no guarantee that these criminals who have held your data hostage are even going to respect the payment.”

How do these attackers get the data to hold hostage in the first place?

Most often, it’s through phishing emails in which employees are tricked into clicking on a link or opening an email that then downloads malicious software. Once in the system, the attackers infiltrate the system, encrypt files and bar access to the entire network.

“I would say (attackers) are getting more sophisticated in finding new vulnerabilities to exploit,” says VanWoudenberg. “Phishing attacks continue to be a major problem, and they seem to be getting very professional-looking.

Gupta also notes, “More recently, we’re seeing criminal ecosystems emerge where ransomware developers are licensing their software to affiliates to use them.”

This past November, Calgary police announced its involvement in a global investigation led by Europol dubbed Operation GoldDust that led to multiple arrests of members from several high-profile ransomware “families” that were behind 7,000 infections worldwide – including 600 in Canada.

The Canadian component, headed by several RCMP units and the Calgary Police Service Cybercrime Team, targeted a syndicate known as REvil, or the Sodinokibi family, which provided malware to affiliates in exchange for payment.

Other increasingly more common tactics range from attackers using stolen credentials purchased from the dark web to “brute force” their way into businesses’ systems, to attackers exploiting weaknesses within the system such as outdated security patches.

Much like Shivji, Rowsell attributes the rise of cyberattacks in recent years – particularly the past two –to increased adoption of the remote workplace model.

“The most common situations we see are when there are open ports on firewalls that have not been secured properly, and typically that’s through providing remote access to employees and staff,” he says.

“Or security parameters that should have been in place were bypassed to get up and running as quickly as possible. But there’s a real danger in just plugging the holes. You put yourself at great risk.”

When it comes to mitigating the risk of ransomware attacks, both Shivji and Rowsell suggest simple tactics can go a long way to projecting businesses:

1. Do not click on unsafe links in emails.
2. Avoid disclosing personal information including passwords.
3. Do not open suspicious email attachments.
4. Enable multi-factor authentication (also known as MFA) for all applications including email and VPN.
5. Create on-site and cloud backups, and ensure backups are frequently tested for successful restore.
6. Provide employee training and education.

“The threat is out there, but there are things you can do to protect yourselves,” adds Gupta. “If attacked by ransomware, this could be one of the worst days of their lives if you’re not properly prepared.”