The summer season often seems like a quieter time of year. The past few months have been eventful in Canada, however, as several incidents reported in the media have highlighted the importance of cybersecurity once again.
First, several services in the Ontario municipality of Wasaga Beach were paralyzed following a ransomware attack on April 30, 2018. CTV reported in July that cybercriminals had initially demanded 11 bitcoins, approximately $144,000 (CAN), to free the 11 servers in question. While, like the FBI, we advise organizations against paying a ransom to the crooks,Wasaga Beach did pay and their misfortune came to an end. Seven weeks after the attack, the municipality managed to reach an agreement with the attackers, paying them three bitcoins (about $35,000) in exchange for access to four of its servers, which contained most of the city's data. No personal data was reported to have been compromised.
Across the Ottawa River, the Quebec Taxi Intermediary Reunion (RITQ) also suffered a ransomware attack on July 21, 2018. An email was sent on July 24 to the RITQ with a set of demands from the hackers. Having failed to comply with the requirements of the hackers, the RITQ left the case in the hands of the Quebec Police Service (SPVQ). More than a week after the cyberattack, the actions of the cybercriminals still had significant effects on the RITQ’s operation, as an additional 15 to 20 minutes was needed to process calls for a cab.
Finally, CarePartners, provider of home health care services on behalf of the Ontario government, announced a security breach in June 2018. The names and contact information of tens of thousands of patients, as well as detailed medical records, were obtained by cybercriminals after they raided the health care provider’s systems. This would be a subset of hundreds of thousands of patient records and related documents in their possession, some of them dating back to 2010.
The cybercriminals contacted CBC News and stated: "We asked for compensation in exchange for telling them how to fix their security problems and for us not to disclose data online.” CarePartner later said that its internal investigation has so far identified 627 patient records and 886 employee records that have been compromised. However, the sample provided to CBC News appears to contain the names and contact information of over 80,000 patients. The home health care service provider hasn’t answered the questions surrounding the payment of the ransom. It is therefore unclear if the data will be posted online.
Lessons to learn
While these cyberattacks have attracted media attention because of their scale and the organizations targeted, the increase in the number of ransom attacks is a striking trend. Some attacks target specific strategic organizations while many ransomware outbreaks attempt to reach as many networks and devices as possible.
Also keep in mind that prevention is the best cure. Protecting your data proactively before such an attempt happens is safer and cheaper for your company than trying to get hold of data that has been stolen or encrypted by a ransomware. Here are some steps we recommend for companies to adopt:
- Invest in a trusted security solution. The detection and removal of malware is essential not only to protect you, but also to prevent these threats from spreading further afield.
- It is essential for companies to make regular backups of files. We often think of backups in the cloud only, but physical backups stored outside your network are less likely to be reached. Automated online backups could be affected by cyberattacks; criminals have a stake in overwriting them or making them inaccessible.
- Do not underestimate the usefulness of backup media that are not rewritable or reusable. If you can't change what's written there, criminals can't either. Check if your backup works correctly and that your media (read-only, write off or write) are still readable (and that writable media are not always readable). And save your backups.
- You should already have in place a process to activate in case of a cyberattack. Remember that apart from the direct impacts on your business, a security breach can affect your customers' trust. Include communication strategies in your planning, in addition to other measures you should put in place following an attack. Of course, since your backups protect your data against ransomware and other malware, they must be part of your disaster recovery plan.
- We understand that some people might decide to pay the ransom in the hope of recovering their data, even knowing that this encourages cybercrime. Before paying, however, check with your security software provider (a) whether recovery might be possible without paying the ransom (b) whether the payment of the ransom might actually allow recovery for a particular ransom variant, as this is not always the case.
The attacks that took place this summer certainly got the attention of media and the public. Not all breaches and subsequent ransom demands hit the headlines but this does not diminish the seriousness of these incidents. While these threats are not likely to disappear anytime soon, risk prevention and planning a threat response strategy are important techniques to help you deal with them.