Guide to Ransomware Attacks in Canada
The Ultimate Resource for Ransomware in Canada
Why should you know about ransomware?
Ransomware is a common form of malware, or malicious software, that is a lot more complicated and troublesome than typical malware. It is now the most prevalent form of malware, and its use has increased significantly over recent years. Verizon’s most recent data breach investigation report, claims that 39% of all malware-related breaches were ransomware—up 50% over the year before.
Ransomware is as scary as it sounds. It presents users with an ultimatum: pay a ransom to unlock and reclaim your personal data. Failure to pay the ransom will result in you losing that data indefinitely. Ransomware has the ability to corrupt and delete files, leaving most users with little time to resolve the problem through alternate means. Like other forms of malware, ransomware is an evolving and increasingly sophisticated threat.
What Canadian Businesses Should Know About Ransomware
Ransomware attacks are one of the most common reasons Canadian companies seek emergency help from an IT firm. Among all of the cyber threats faced by Canadian business, ransomware ranks as the most pervasive and widespread security threat. Together with spyware and viruses, ransomware is a category of malicious software known as malware.
What is a phishing attack?
At its core, a phishing attack targets victims on a human and psychological level. It relies on exploiting people’s natural tendency to be helpful and accommodating, and to act submissively when approached with authority. This is what makes phishing a particularly insidious form of cyberattack, as it not only can have crippling effects on businesses, but it also leaves the targeted victim feeling personally responsible and often humiliated.
Hackers most commonly target someone within a company that answers to authority. These employees are the easiest to manipulate because they are often the most eager to help out and appease others. Once hackers have picked their target, they often present themselves as another person within the company or a known service provider and request that the recipient click a link or download an attachment. The hacker will be prepared with enough information to convince the employee that they are a bonafide and trusted contact. By the time the employee has time to become suspicious, they have often inadvertently granted the hacker access to sensitive information.
Though phishing often targets more vulnerable employees, it’s not necessarily always the case. It’s a common and dangerous myth that those who “should know better” cannot fall victim to phishing attacks. Because each attack is tailored to its victim, even people in management or executive positions can have a momentary lapse of judgement and find themselves victim of a phishing attack.
The assumption that phishing attacks are obvious and easy to detect is simply not true. Not all phishing emails are immediately suspicious. Hackers have many tricks that they use to bait their victim, including establishing communication for a period of time before they make an attack.
It’s common sense to be suspicious of a poorly written email sent by someone from across the globe. However, most phishing attacks come from within the US. They can duplicate websites of reputable companies and create encrypted fake websites.
Another common myth regarding phishing is that anti-virus software and spam filters can spot malicious emails. This isn’t the case. Never underestimate the sophistication of these attacks and the hackers behind them. They are extremely knowledgeable about security software and have ways to bypass filters. Phishing attacks work because they are perfectly crafted to appear legitimate. Having a strong anti-virus protection network in place can lull people into a false sense of security. Coupled with the misguided assumption that attacks are easily detectable, phishing attacks can happen to anyone and to any business, including large enterprises.
It starts innocently enough. Often it’s an email or sometimes a phone call from someone who appears to have good intentions. Perhaps they are offering a deal or a bargain on new software, or upgrades to your system at a discounted price. It could be someone claiming to be contracted by the company, asking questions on the building layout, what software your company uses, size of the business, etc. Sometimes, hackers will show up in person, claiming to be doing work in the building and asking for access to enter the space. The requests usually seem perfectly within reason, and so people naturally let down their guard. Once that initial trust is established, hackers may use that newfound connection to ask more invasive questions, which the victim may not initially recognize as such. It’s a delicate con, and by the time the target realizes what has happened, it’s often too late. The victim may also fear for their job, feel used and humiliated, and may delay alerting others of a potential breach of security.
Spear phishing in particular is such a personalized attack that it leaves the victim feeling immense guilt for being fooled. These types of attacks are especially brutal because of the repercussions it has on the person it targets.
Spear phishing is an email attack that is designed to look and read as though it has been sent from a trusted source or from someone in a position of power. The email encourages the recipient to open an attachment or click on a link. The act of opening an attachment or clicking on a link then transmits malware to the user’s computer.
The challenging thing about phishing attacks is this misconception of what they look like. Even though technology grows at such a rapid pace, most people have an antiquated view of what cyberattacks look like and how they happen. Most people, especially younger people and those working at companies in the technology industry, can quickly spot a blatantly suspicious email. They know not to click on links sent from anonymous senders or those sent by friends that are clearly out of character. They know to be wary of answering certain requests without authorization, and they know to always doubt those selling too-good-to-be-true emails. They know a bank won’t email you asking to reset your password, and they know someone higher up won’t ask you to disclose sensitive information over email.
Most people are heavily unprepared when it comes to protecting themselves from more advanced forms of phishing. Spear phishing is so psychological and so personalized, that even the most rational and level headed person can fall victim. After all, no one wants to immediately assume the worst. And certainly no one wants to come off as rude and unaccommodating.
And while most people know to watch out for malicious email, phishing attacks also happen over the phone, in person, and now over SMS text and social media.
Spyware is generally unwanted and malicious software that infiltrates your computer or device for the purposes of stealing your Internet usage, data, sensitive information, and monitoring your online activity. Without your knowledge, spyware can gather your personal information—including your personal online activity (every keystroke)—and relay it to advertisers, data firms or external users.
History of Phishing Attacks and Ransomware
Phishing was the term given to scamming attacks that used email to “fish” for passwords and other sensitive data. It has since become the umbrella term for all cyberattacks that operate using the same sort of strategy. The first instances of phishing were in the early 1990’s when a group of hackers and scammers created an algorithm that was able to generate credit card numbers in order to open fake AOL and America Online accounts and target other users. (Source)
AOL put an end to this early form of phishing in 1995 by increasing security measures. Hackers then began targeting victims via AOL messenger and email. This form of phishing is the one that has endured over time.
Another early tactic used by hackers was baiting victims to visit malicious websites by acquiring domain names that closely resemble those of popular websites. For instance, common typos of Google, Facebook, or Yahoo. When people would accidentally type one of the website URLs incorrectly, they would be directed to a bad website which would then infect their computer with a virus, often spamming users with a barrage of pop-ups.
Ransomware has been an ongoing problem since 2005, but it was in 2013 that it really escalated its harmful potential. CryptoLocker was the first cryptographic malware attack that infected computers through downloads from bad websites and phishing emails. This trojan attack is believed to have extorted over $3 million from victims.
Changes in Ransomware Over Time
Hackers and spammers continue to get more sophisticated in their attacks as technology grows and security systems become stronger. It’s almost as if they are one step ahead—always managing to find the next platform that businesses will become reliant on where they can target early users. On the rise right now are attacks made over social media and smartphones. New technology always has a learning curve, and hackers have become especially good at exploiting this vulnerability.
A cyber breach is a term that broadly encompasses any unwanted entry into IT systems. The combination of extremely technically sophisticated operators and unknown system vulnerabilities in the technologies being implemented on a company’s network make cyber breaches possible.
Examples of Ransomware Attacks in Canada
In July 2017, a major Canadian company was forced to pay $425,000 in Bitcoin to restore its computer systems after suffering a crippling ransomware attack that not only encrypted its production databases but also its backups as well. Because the ransomware managed to infect the backups the company was faced with losing all of their data or paying. It is believed to be the biggest ransomware payment in Canada to date.
The attack was very sophisticated. It started with spear phishing that targeted 6 senior company officials. Each were sent a malicious PDF attachment. Two of the officials were sent messages that appeared to be invoices from a courier company while the other four received emails asking them to open a print a document. The alleged invoices and attached documents both contained malware.
A subsequent forensic analysis uncovered vulnerabilities in some outdated unpatched database systems in their Windows environment. Although not all the details of this cyberattack are public, it is thought that the attackers spent months snooping around the targeted network to find the confidential data in preparation for the attack.
Another well-known Canadian example of a ransomware attempt occurred in October 2018. The targeted company was Recipe Unlimited, formerly Cara Operations, which is the company that owns a range of popular restaurants including Swiss Chalet, Harvey’s, Milestones, Kelseys, Montana’s, Bier Markt, and East Side Mario’s. This ransomware attack crashed the computers in a number of locations at the same time and a ransom note appeared under a ‘read me’ file in WordPad format. The ransom note informed the company that there was a significant hole in the security of their systems and that the hackers easily penetrated their network. The hackers claimed that they encrypted the company’s files “with the strongest military algorithms” and that, in order to restore the data, the company had to pay an unspecified but daily increasing amount in Bitcoin. Publicly, Recipe Unlimited denied that they were being held ransom as they had employed sufficient data security measures and did regular backups. However, it is known that many of their restaurants had to close (up to 1,400) for a period of time and those that remained open were not able to process credit card or debit card payments, nor accept online orders so they clearly suffered some financial losses. (Source)
In an eye-popping example, Nayana, a South Korean Web hosting company, reportedly paid approximately US$1 million after it was attacked by Erebus ransomware. The payment was negotiated down from $4 million and it is believed to be the largest publicly reported ransomware payment in the world. (Source)
Even government sectors aren’t immune to phishing attacks. On September 1, 2018, the Town of Midland, a central Ontario town, lost full access to its computer system when a ransomware scam took over the system remotely after what appeared to be a phishing attack targeted at one of the employees. The attack resulted in complications to the town’s financial processing system, halting debit and credit payments from local residents. The hacker demanded a Bitcoin payout from the town, which Midland reluctantly agreed to, though the sum of the payment amount was not made public. This attack came just months after a similar attack on another Ontario town. Wasaga Beach was similarly hit with a phishing attack that locked access to government data for several weeks. The town eventually paid out $144,000 in Bitcoin currency, and it ended up costing the town more than $250,000. (Source)
The attacks led to the Ontario Provincial Police to issue a warning to local governments to be mindful of the prevalence of phishing attacks, as well as urging towns not to succumb to hacker’s demands. The OPP argues that paying off hackers only escalates the problem and advised local governments and businesses to call police when faced with these attacks. However, they acknowledge that meeting hackers’ demands is often the quickest remedy. (Source)
Types of Ransomware
Ransomware can present itself in a few different ways. Locker ransomware encrypts a computer’s entire hard drive and essentially locks the user out of the system. While crypto ransomware will only encrypt specifically chosen computer files such as Word documents, PDFs and image files. Some examples include the following:
- Cryptowall acts as a Trojan horse and encrypts files on the targeted computer.
- Locky ransomware which is ranked as one of the top 3 most prevalent forms of malware. It was the form that encrypted the networks of a Hollywood hospital and took services offline until a $17,000 payment was made.
- Nivdort has been designed to steal information from victims, predominantly data relating to online shopping and bank accounts. However, Nivdort has also been known to install malware and ransomware on infected PCs.
- Jigsaw encrypts and then slowly begins to delete files on the compromised computer.
- Crysis ransomware which is especially difficult to shut down quickly as it has an advanced encryption algorithm that encrypts files on all drives, including network, fixed and removable.
- GoldenEye which doesn’t aim for a payout, but rather seeks to completely destroy data
- Bad Rabbit is a ransomware attack that initially seemed contained to European countries like Russia and Ukraine, and is a “drive-by” attack that compromised vulnerable websites
Crypto ransomware and locker ransomware are the two most common types of ransomware.
Crypto ransomware attacks essentially hold your files hostage in exchange for a payout. This form of attack encrypts files on the targeted computer, scrambles its contents, and demands payment for a decryption key to release the files. This form of phishing is usually done through email, and passing along a file for the recipient to open. Once again, these hackers expect their target to be wary of links to websites embedded in emails, but most people don’t realize that the danger in opening links to “documents.” Hackers are now sending links to documents that end in .doc or .zip that infect computers in the same manner that those “obvious” malicious links do.
Locker ransomware attacks are a copycat of Crypto attacks, but instead of scrambling the infected computer’s files and data, it locks full access to the files, and again demands a ransom to unlock the computer.
Initially, Ransomware sought high-profile victims like hospitals, corporations, public schools and police departments. However, now it has found its way onto home computers. A recent report created by Symantex indicates that Ransomware infections have steadily increased year-over-year since 2013, reaching a record high of 1,271 detections per day in 2016. Detections remained elevated in 2017 with approximately 1,242 average ransomware detections per day. (Source)
Cybercriminals adjust the size of their ransom demand according to the type of victim, asking larger enterprises for significantly larger amounts of money than they do of consumers. According to Symantec, there was competition among thieves and increasing quantum requests for domestic users increased until 2016. In 2017 the ransomware market corrected, with fewer new ransomware families and lower ransom demands. Ransomware attacks perfected their business model in 2017 and seemed to find the sweet spot that non-corporate victims were willing to pay. The average ransom demand for 2017 was $522, which is less than half of 2016’s figure of $1,070. It was $294 in 2015.
People often have the notion that cybercriminals are individuals. Cybercrime is a highly distributed, professional, commercial, big business. Some myths include:
- Hackers or Cybercriminals Play a Short Game
- Cybercriminals are Just Average People
- One Person is Responsible
How is ransomware distributed?
Ransomware is generally delivered via phishing emails, malvertising or via exploit kits. Phishing emails are emails (often from a known contact) that contain malicious attachments (password protected .zip file, .doc or .pdf) which include the ransomware or provide links directing the user to a compromised web page. Attacks are carried out using a Trojan that is disguised as a legitimate file. The recipient is tricked into downloading or opening the email attachment using social engineering tricks. Malvertising typically involves injecting malicious malware-infected advertisements into legitimate online advertising networks and web pages. Malvertising can easily spread across legitimate websites. Exploit kits are a malicious tool used to look for security holes in software platforms that have not been updated. Once a security vulnerability is discovered, the hacker can transmit the ransomware onto the computer. The ransomware starts to run when the user opens the infected files. It will encrypt all targeted data files on the PC itself as well as on any network that the PC has access to.
Top 19 Ways to Protect Yourself from Ransomware
The best protection against ransomware is to be aware of ransomware and to be proactive about the threats. Most of the attacks that have taken place have been linked to poor protection practices by employees. Also, since this particular malware is so complicated in nature, it is recommended that you use multiple layers of protection.
- Maintain a strong firewall and only use anti-virus software from a reputable company. There are many forms of malware masquerading as anti-virus software.
- New ransomware variants appear on a regular basis. Always keep your security software up to date to help protect against new variations of ransomware.
- Back up your data. Backing up important data is the single most effective way of combating ransomware infection. Having a backup copy of all of your data reduces the leverage hackers have over their victims. If the victim has backup copies, they can restore their files once the infection has been cleaned up.
- Ensure that the data backups are appropriately protected, not connected to the primary system or stored offline so that they can’t be accessed, damaged or deleted.
- Patch, patch, patch. Always keep your operating system and other software updated. Hackers often try to target known vulnerabilities in popular software. Software updates often include patches for newly discovered security vulnerabilities. Don’t make do with default configurations. Take the time to disable any features you don’t need.
- Use content scanning and filtering on all your mail servers. All inbound emails should be scanned for known threats and should block any attachment types that pose a threat.
- Monitor outbound connections. Often after the malware gains access, it will dial home for further instructions. If you can block initial outbound attempts to connect to the attacker’s server, then you might be able to stop the attack before it starts.
- Run ransomware awareness programs within your organization. Education about the threat and general security awareness will greatly reduce the possibility of infection.
- Be hyper-vigilant of unexpected emails, especially if they contain links or attachments. Remember that these are sophisticated operations and a lot of effort is put into making the email look legitimate and needing attention. Be particularly wary of any Microsoft Office email attachments that advise you to enable macros to view its content. As a general rule do not enable macros without further investigation. It is safer to immediately delete the email.
- Never provide personal information when answering an unsolicited email, phone call, text message or instant message. Phishers will try to trick people into installing malware or gain intelligence for attacks by claiming to be from your IT department or another IT source. Contact IT support services if you receive suspicious calls.
- Using cloud services for backups could help mitigate ransomware damage, since many retain previous versions of files, allowing you to access the unencrypted form.
- Have a third party undertake a full penetration test of your systems to look for vulnerabilities.
- Never open odd attachments or links. Resist the urge to click.
- If you know the sender of an email but something seems odd, confirm with them via a separate email or phone call before you open the attachment.
- If you see something from your own IT department or finance that asks you to update a password, confirm with the department that it is official correspondence.
- Avoid storing any critical information on your computer.
- Consider employing security information and event management (SIEM) software which is capable of scanning system logs, app logs, and activity logs to collate and analyze data and flag unusual behavior. Hackers always leave a trace.
- Do an up-to-date asset inventory to determine precisely what devices are legitimately connected to public and private clouds.
- If traveling, alert your IT department beforehand. Make sure you use a trustworthy Virtual Private Network (VPN) when accessing public wifi.
Lastly, do not pay the ransom. It only encourages and funds the attackers. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your data.
We're here to help!
Moving to the Cloud
Is your company looking to move IT operations and assets to the cloud smoothly and without disruption? We'll move you to the right cloud. CITI’s cloud migration specialists have extensive experience helping businesses eliminate premises networks with minimal disruption and cost. Considering moving to the cloud? Find out if the cloud is right for your company.
Is your management team asking about your IT security policies and practices? Are you worried about a cybersecurity breach? CITI’s comprehensive IT security services provide all the information your company needs to deal with current and future security situations and concerns. Learn about your IT security. Register for a free cybersecurity session.
There is another way to manage your IT that doesn’t require you call your IT firm. Managed IT services offer proactive care, support, monitoring and maintenance of your computer systems for a fixed monthly fee. Process-driven, less involvement, more predictable cost. Yes, Virginia, there is a way to keep your IT running smoothly that does not require you to make a call.
Are you concerned about minimizing IT maintenance costs? Perhaps you’re techno savvy. Or maybe you only need an IT firm for complex IT situations. CITI can provide exactly the volume of IT services that you want and need from network troubleshooting to helping a user with a jammed printer. Our full range of services are available on a per incident basis.
Is the stuff of your nightmares power outages? The only way to deal with a severe interruption to business operations is to plan for it. Beginning with a disaster recovery plan through implementing and maintaining failsafe, foolproof, rock-solid offsite backups, CITI has helped 100s of companies protect their most valuable asset—their data and systems.
Uncertain if your company should move to the cloud? Do you have doubts about the best way to back up your data? Looking for ways to minimize your vulnerability to IT security breaches? Perhaps you’re looking for help with your annual IT budget. CITI’s IT advisory services help businesses make informed strategic and tactical decisions on information technology.