S3nd Us teH MoNey: Ransomware Advisory Issued for Canadian Companies
Ransomware attacks, in which hackers encrypt all the files on a computer and threaten to delete them unless a ransom is paid, are becoming increasingly common. Disturbingly, they are often successful. Recent victims include individuals like the woman who paid Ukrainian hackers $500 in Bitcoins to prevent them from deleting her husband’s financial statements (and whose story was profiled on an excellent episode of WNYC’s Radiolab), and organizations like the hospital in Los Angeles that paid $40,000 in order to regain access to its electronic medical records and other systems. Canadian hospitals have also been targets.
Two recent advisories—one from the Alberta Information and Privacy Commissioner, the other from the Canadian Cyber Incident Response Centre in collaboration with the United States Department of Homeland Security—discuss the extent of the threat, and suggest how Canadian individuals and organizations can protect themselves.
The advisories explain that ransomware typically finds its way onto computers through “phishing” emails, which attempt to trick recipients into opening malicious attachments, or through “drive-by downloads”, where infected websites install software onto users’ computers without their knowledge. The consequences of these attacks can be devastating: individuals and organizations may lose sensitive or proprietary information, their regular operations could be disrupted, restoring systems and files can be horribly expensive, and reputations are put at risk.
Should I Pay?
If an organization hands over the cash (or, more typically, bitcoin or other cryptocurrency), there is no way to be certain that extortionate hackers will be true to their word. As the advisories note:
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information as well. In addition, decrypting files does not mean the malware infection itself has been removed.
There are other considerations as well.
If you have readily accessible backups that have been protected against malicious encryption, then there may be no reason to pay - a relatively straightforward restore operation may be all that's required. Another factor is how widespread the infection is - if it's just four computers, taking them offline may solve the immediate problem; however, if its the entire network and backup systems, there will be different considerations. Finally, before paying any ransom demand (whether in cash or cryptocurrency) organizations should confirm that by doing so, they are not funding a terrorist organization and thereby running afoul of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act S.C. 2000, c. 17 , violating the Criminal Code provisions on extortion or making a payment to a sanctioned country or individual.
Of course, the preferred approach is to prevent, not pay.
An ounce of prevention … is the law
The advisories suggest some common-sense but effective practices your organization can adopt to lessen the chances of become a victim to a ransomware attack:
- Educate your staff and employees. Anyone using a computer should know not to open untrusted attachments and how to recognize when a website might be compromised—and about the consequences for the organization that are at stake. Develop, implement and test employee training on these matters.
- Get your IT department on board. Your IT group can implement safeguards that can make your organization a more difficult target. Successful tactics include application whitelisting, which allows only specified programs to run, while blocking all others, including malicious software.
- Make frequent, regular, and accessible backups! If your organization is attacked, but can restore its files from a recent backup, the ransomware threat will be greatly diminished (however, note that the more recent variants of ransomware can stay on organization's systems for months, thereby encrypting the most recent regular backups. It is not until several months have elapsed, and the backups are encrypted, that a demand will be received - and attempts to rely on backups will be futile).
These suggestions are more than just best practices. They may also be the law. Under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) as well as the Personal Information Protection Act (British Columbia) and the Personal Information Protection Act (Alberta) and other provincial and/or sector-specific privacy legislation, organizations are required to take appropriate security safeguards to protect sensitive information.
If your organization is targeted, and if you have reason to believe that the breach of personal information could reasonably create a “real risk of significant harm to the individual”, under the recent amendments to PIPEDA you would be required to notify affected individuals and report the breach (these particular federal amendments are not yet in force, though a discussion paper was recently circulated addressing the proposed changes - see our previous blog post here). Alberta already has mandatory breach reporting that uses a similar threshold.
But again, it’s best not to be put in this situation at all. Taking small steps to minimize the risk of ransomware can avoid having to resolve some difficult, costly, and potentially life-threating situations.