Canadian energy, health, manufacturing sectors were major targets of ransomware attacks: cyber spy agency
2021 ransomware trend report released by Communications Security Establishment, a cyber intelligence agency
As part of a new awareness campaign, the Communications Security Establishment (CSE), Canada's foreign signals intelligence agency, released a ransomware bulletin Monday looking at the key trends of ransomware in 2021.
In its report, CSE's Cyber Centre said ransomware attacks are "brazen, sophisticated, increasing in frequency, and, for the cybercriminals, very profitable.
"The impact of ransomware can be devastating, and the severity of the financial consequences related to a ransomware attack can be profound."
For the first time, the agency also confirmed publicly Monday that it has used its new cyber attack powers, granted to it through legislation back in 2019.
"The Communications Security Establishment Act gives CSE the legal authority to conduct cyber operations to disrupt foreign-based threats to Canada, including cybercriminals," said CSE spokesperson Evan Koronewski.
"Although we cannot comment on our use of foreign cyber operations (active and defensive cyber operations) or provide operational statistics, we can confirm we have the tools we need to impose a cost on the people behind these kinds of incidents.
"We can also confirm we are using these tools for such purposes, and working together with Canadian law enforcement where appropriate against cybercrime."
Ransomware is a form of malware used by threat actors and criminals who encrypt files on a device then demand a ransom in exchange for decryption. Once successfully hacked, ransomware victims are often attacked multiple times.
CSE said it's aware of 235 ransomware incidents against Canadian victims from Jan. 1 to Nov. 16 of this year and more than half of those targets were critical infrastructure providers, including those in the energy, health and manufacturing sectors.
The number is likely higher, as the agency said most ransomware events go unreported.
"The COVID-19 pandemic has made organizations like hospitals, governments and universities more mindful of the risks tied to losing access to their networks and often feeling resigned to pay ransoms," notes the report.
"Cybercriminals have taken advantage of this situation by significantly increasing the value of their ransom demands."
Canadian hospitals hit
Newfoundland and Labrador is still reeling after a cyber attack hit its health-care system, cancelling thousands of medical procedures ranging from chemotherapy to X-rays.
Sources have told CBC the security breach is a ransomware attack, but so far government officials have not confirmed the nature of the cyberattack and will not say if they have received a ransom demand.
This summer Humber River Hospital in the Toronto area was forced to shut down its IT systems in order to prevent a ransomware attack.
A
customer pumps gas at Costco as others wait in line on May 11, 2021, in
Charlotte, N.C. Earlier this year the Colonial Pipeline, the largest
fuel pipeline in the U.S., was hit by a cyber attack attributed to the
Russia-based DarkSide RaaS cybercriminal group. (Chris Carlson/The Associated Press)
Staff were unable to access electronic patient records and diagnostic test results leading to long waits in the emergency department and prompting the hospital to cancel clinics and redirect some ambulances to other hospitals.
CSE said it expects high-impact targeting to continue.
"We assess that ransomware operators will almost certainly continue to target large organizations with operational technology (OT) assets, including organizations in Canada, to try to extract ransom, steal intellectual property and proprietary business information, and obtain personal data about customers," it warned.
Canada is far from alone. This year has been marred by the highest ransoms and the biggest payouts around the world.
Earlier this year the Colonial Pipeline, the largest fuel pipeline in the U.S., was hit by an attack attributed to the Russia-based DarkSide RaaS cybercriminal group.
As a result, the company's operations were affected, resulting in record price increases, panic-buying, and gasoline shortages
Ransomware operators will likely become increasingly aggressive: CSE
In Canada, CSE said the estimated average cost of a data breach, which includes but is not limited to ransomware, is more than $6 million. The average price has stabilized over the past years, a trend CSE attributes to cybercriminals becoming better at tailoring their demands to what their victims are most likely to pay.
Ransomware operators will likely become increasingly aggressive in their targeting in 2022, including against critical infrastructure, warned the agency.
Part of the problem fighting ransomware is that many operators and their affiliates are based in countries with lax or non-existent laws against cybercrime, said CSE.
Ransomware
operators will likely become increasingly aggressive in their targeting
in 2022, including against critical infrastructure, warns CSE. (PabloLagarto/Shutterstock)
"Mitigating the increasing risks will require concerted national efforts to improve cyber security and adopt best practices to harden critical systems, as well as co-ordinated international actions to undermine criminal infrastructure and tactics," said the report.
As part of that effort, CSE, working with the RCMP, has published what they call a "playbook" that outlines steps organizations and businesses can take to protect against ransomware, and what to do if attacked.
Organizations urged to implement cyber safety measures
A handful of cabinet ministers have signed an open letter to Canadian organizations urging them to implement basic cyber security measures.
The letter, co-signed by Defence Minister Anita Anand, Emergency Preparedness Minister Bill Blair, Public Safety Minister Marco Mendicino and International Trade Minister Mary Ng, said the federal government is working with its allies to pursue cyber threat actors and disrupt their capabilities.
"We are also assisting in the recovery of organizations compromised by ransomware and helping them to be more resilient going forward," they wrote.
"Our message is clear: taking basic steps to ensure your organization's cyber security will pay swift dividends."
C
Inside Saint John's response to a 'devastating' cyberattack
Records show how the city dealt with 2020 attack that cut off its network from the outside world
It was the work of cybercriminals who unleashed a ransomware attack that forced the city to disconnect itself from the rest of the online world. Saint John hired a Toronto-based company to navigate negotiations with them.
But the criminals weren't very communicative.
"Wanted to update you to let you know that the Ryuk Threat Actors have not reached out since they decrypted the sample files, on November 20th," Jason Kotler, president and CEO of a company called CYPFER (Cyber Security, Payment Facilitators, Emergency Response), wrote in an email to city lawyers and outside counsel on Nov. 26.
"Ryuk is patient and will likely not respond until we reach out again. We might hear from them within the week. Nonetheless, we will continue to monitor."
The city hasn't said much publicly about its response to the cyberattack, the after-effects of which are still affecting some of its operations a year later. More than 160 pages of records that offer a peek inside the chaos that ensued after the attack, but the documents were only turned over after CBC News filed an access-to-information complaint.
The city ultimately decided not to pay a ransom, estimated by one councillor at between $17 million and $20 million worth of Bitcoin, and instead opted to rebuild its network from scratch.
It was a decision that would have serious consequences for the citizens of the foggy Atlantic port city.
Saint John's experience may offer lessons for Newfoundland and Labrador, which has been hit with a cyberattack that has wreaked havoc, cancelling medical procedures and cancer treatments.
While officials in that province have released few details about how its attack happened, last week it confirmed both employee and patient data was stolen.
Cyberattacks can take 'many years' to recover from
More than a year has passed, but the city still hasn't fully recovered from what Saint John Mayor Donna Reardon described as "a devastating attack."
As of this summer, employees in city offices still couldn't print, Reardon said, though that functionality has now returned.
That was perhaps a more benign issue compared to the city police force's struggle: it couldn't generate statistics on crime occurrences, such as the number of mental health crisis calls, nor access some police reports.
Saint
John Mayor Donna Reardon says the November 2020 cyberattack was
'devastating' for the city. Council ultimately decided not to pay a
ransom and rebuilt its network from scratch. (Robert Jones/CBC)
"It's taken a long time to get things back up and running, to unlock all of their tools," Reardon said.
When asked when the city is expected to be fully recovered from the attack, a city spokesperson didn't provide an exact timeframe, saying recovey from cyberattacks can take "many years."
"Many systems that were in place prior to the attack are operational," city spokesperson Lisa Caissie wrote in an emailed statement.
"The city continues to collaborate with all service areas, including the Saint John Police Force, on priorities for restoration. Remaining work relates mostly to automation for efficiency."
The city has spent nearly $3 million recovering from the attack, though that number may increase since the process isn't complete. All but $400,000 spent so far is estimated to be recovered through insurance.
Network breached two weeks before ransomware attack
The problems began on Oct. 28, 2020, when the city's network was breached through a phishing email, councillors learned at a briefing on Nov. 16, 2020. A virus attack hit the city's systems a few days later, on Nov. 3 and 4.
On Nov. 13, 2020, around 9 p.m., the city discovered a ransomware attack was underway. One record describes the attack as being triggered through an Excel file. The federal goverment's Canadian Centre for Cyber Security (CCCS) describes ransomware as "a type of malware that ultimately denies a user's access to files or systems until a sum of money is paid."
In the early hours after the attack was discovered, records show the city disconnected "all information technology infrastructure and devices" to try and contain it.
"The end result of this action was all network services across the municipality are currently shut down, including email and computer aided dispatch to name only two," according to a security event report issued by New Brunswick's Office of the Provincial Security Advisor early on.
An hour after the attack was discovered, the city's Public Safety Answering Point, its emergency call centre, lost connectivity, including access to "their computer aided emergency services dispatch system and mapping tools." A contingency plan saw 911 calls rerouted through Fredericton.
"The City of Saint John does not yet know how bad the damage is, that work continues," a security event report says.
Records from the City of Saint John detail how the city
responded to a cyberattack and how they strategized around ransom.
(Kacper Pempel/Reuters)
The records don't indicate when the city became aware of the ransom request or realized it was a Ryuk attack.
The CCCS says Ryuk is "a ransomware variant known to target large enterprises, hospitals and critical infrastructure and demand extremely large ransoms."
Active since August 2018, the report says Ryuk "is affiliated with multiple Russian-speaking cybercriminals."
Attack group not interested in selling info on dark web, briefing said
According to minutes from a briefing councillors received from Saint John city manager John Collin on Nov. 16, 2020, Ryuk was described as "a Russian Mafia group that are ransom oriented and will provide de-encryption codes if paid."
But they are not interested in "personally identifiable information" to sell on the dark web, the minutes say.
"Most finance files are not touched. The city is safe, 911 calls are re-routed through Fredericton. The restoration plans are underway to re-establish the network."
The update says councillors were told not to discuss the attack, and to refer requests to the city's communications director.
It also says money would be available "at the federal and provincial level to rebuild rather than pay ransom," though the city has not received any funding from the provincial or federal governments to date.
Thousands of hours of work lost
By Nov. 20, 2020 CYPFER had created a negotiation strategic plan that spelled out how Saint John would negotiate with the cybercriminals who were looking for payment. The details of that strategy are redacted in the copy provided to CBC News.
More than a week after the attack began, the records suggest the city still wasn't entirely sure what information could be at risk.
"I would suggest that they haven't shown us anything that speaks to the sensitivity of the data they may have," Stephanie Rackley-Roach, the city's chief information officer, wrote in an email on Nov. 22, 2020, parts of which were redacted.
The attack also affected the provincial court system, though exactly how is unclear. (Steve P. Mackin)
In an update to council the next day, the city manager described how the city was slowly rebuilding from scratch, saying "progress restoring the network destruction is slow and deliberate."
Most city services were continuing as usual, Collin said, including waste management, water and sewer services..
But according to a Nov. 25, 2020, briefing to the provincial government, thousands of hours of work had been lost on servers and devices.
Keeping secrets
One year later, it's not clear what systems or capabilities the city still doesn't have back.
For the last year, the Saint John Police Force has been unable to answer access to information requests that ask for crime data and police reports, but Caissie, a spokesperson with the city, suggested this functionality has recently returned.
"As of this week, we can confirm that the Saint John Police Force has been provided with the capability to run a number of reports," Caissie said.
Saint
John hasn't provided a timeline of how long it will take to fully
recover from the cyberattack, which hit the city in November 2020. (Julia Wright/CBC file photo)
The attack also impacted provincial court proceedings, but the province hasn't tracked how many might have been delayed. The provincial government referred questions about that to the police, which referred questions to the province.
"Anecdotally we are aware that there were changes including the providing of disclosure documents," Department of Justice spokesperson Geoffrey Downey wrote in an email.
The city initially refused to provide most of its records about the cyberattack, citing a number of exemptions in the province's access to information legislation. But additional records were turned over earlier this year, following CBC's access-to-information complaint.
The Saint John Police Force is still investigating the cyberattack, according to spokesperson Jim Hennessy, but no update on whether any progress has been made was offered.
The agency consulted with the RCMP, but the RCMP has never initiated an investigation into the attack, a spokesperson for the Mounties confirmed.
Lessons for Newfoundland and Labrador
While Caissie confirmed a forensic report found no direct evidence of data theft, the attack on Newfoundland and Labrador's health care system has compromised patient data, the province confirmed, on top of delaying life-saving treatment. Caissie said the city has not received a request to provide advice to its Atlantic counterpart.
But if there's one thing Newfoundland and Labrador can learn from Saint John's experience, it's to not pay ransom should the province be asked, according to Dima Alhadidi, who has spent years researching topics such as data privacy.
"Regardless of the consequences, we should not pay," said Alhadidi, who is an assistant professor of computer science at the University of Windsor in Ontario.
"Because if we pay, this will motivate them to target other victims and we will end up having the same problems."
The decision not to pay a ransom was made by Saint John council, and the city's mayor believes it was the right one.
"Even if you decide you had the money and you pay for it, is there any guarantee you're actually going to get everything back? I mean, you're dealing with criminals," Reardon said.
Alhadidi also believes that governments hit by cyberattacks should be open with the public about the attack and what led to it to help protect other public agencies.
She would also like to see mandatory training for all employees about how to deal with suspicious emails, and for all agencies to have a contingency plan on what to do should they be hit with a cyberattack.
ABOUT THE AUTHOR
https://www.cbc.ca/news/canada/new-brunswick/update-saint-john-cyberattack-1.5819977
Experts 'working around the clock' to restore services, Saint John says in cyber attack update
Virtual services still offline, no evidence yet that personal information was stolen
CBC News · Posted: Nov 27, 2020 7:58 PM AT
Saint John city manager John Collin says he expects 'a full recovery' of online city services in the coming weeks. (Connell Smith, CBC file photo)
Two weeks after being hit by a cyber attack, the City of Saint John says a team of experts is "working around the clock" to restore its network and virtual services.
In a news release Friday evening, two weeks to the day after the city was targeted by ransomware, city manager John Collin said most of its information technology systems and overall network are still offline.
Taking the systems offline was an "immediate and proactive" response to contain the virus, Collin said.
"Our network will be back online only once we are sure that it is safe to do so," he said. "I have been impressed with the dedication and professionalism of the team, and have full confidence that the city will recover in the coming weeks."
There is still no confirmation that personal information was accessed in the attack, but the city is working on getting a conclusive answer, the release noted.
"As soon as we know more, we will notify the community immediately," the release stated, once again advising people to check their bank accounts and credit card statements for any unusual activity.
Most city services are fully operational, including police and fire response, road and sidewalk maintenance, garbage and compost collection, bill and parking payment ticket payment, the customer service main line and more.
The following services are temporarily unavailable:
- City of Saint John full website. A temporary website is available at www.saintjohn.ca
- Some departmental phone lines
- Email to most city hall employees
- Online payments (bank and in-person cash or cheque payments are accepted)
Other bill and ticket payment options are available and include:
Saint John Water can be paid at customer's bank, through pre-authorized payments, or in-person by cheque or cash at the Customer Service Centre on the 1st floor of City Hall.
Parking tickets can be paid in-person by cheque or cash at the customer service centre on the first floor of City Hall. Customers must present their ticket when paying in person.
On-street and monthly parking payments can be made at parking meter machines or through the HotSpot parking application. The application is hosted by a third-party vendor. Cheque or cash payments for monthly parking can be made in-person at the customer service centre.
Trust that Higgy the Gold Wing Road Warrior and all his lawyer pals know I why have been going at it tooth and nail with my former friends in the RCMP many years before you were even a twinkle in your Fat Daddy's eye N'esy Pas?
Yea Right
Methinks you should review your own words and then ask your fans who is the narcissist in this spit and chew.
Everybody who bothers to read your words and mine understands that political science ain't rocket science in NB. Its been blatantly obvious you are just a noname kid who brags that he ignores the rules of this forum and uses several IDS to spread his bs. Trust that I would not be one it surprised to find out that your Fat Daddy got you a cushy job working for the government so that you could write spin for it and attack anyone who disagrees with the powers that be. After all it is not just me whom you pick fights with N'esy Pas?
However Intelligence people know that IQ tests are just one way to measure a man and what he is capable of. Perhaps you should ask your other buddy "Ray" what the Russian Skrink in the DECH said to me when he let me go a day early and later denied he had ever encountered me and then spit from NB
Furthermore how does a 14 year old with a low IQ pass flight school in 1967 without having any books to study? Why do you think I was accepted to university and or ROPT training at the RMC in 1970 without having to write my finals in High School? How did i manage to get 99 on the math and physics matrix only because they won't give 100? Why would I go to UNB instead on my own dime?
More importantly to me is why do you nasty people make fun of my children who are far more clever than you? They have nothing to do with the battle between the Feds and I but my sister and her hubby definitely do.
Politics
Methinks the Feds should admit that I am the only one within this thread who is obeying the rules and posting in my true name they know that have paid more taxes than little "Ray" and employed people many years before he was crapping yellow in his pampers and crying like the baby he still is N'esy Pas?
I told you it not my job Its my job to sue the RCMP because they assisted you in your wrongs Get it yet kid?
I am down to amere 200 pounds Methinks you are the one who eats too many butter tarts that Cardy laments about N'esy Pas?
February 22, 2008 - Fredericton
Regional Development Corporation
The Government of Canada and the Province of New Brunswick today announced that the construction of a new state of the art conference centre in downtown Fredericton would be considered a priority for joint funding under Building Canada, the Government of Canada's new long-term infrastructure plan. From left: Veterans Affairs Minister Greg Thompson, Norah Davidson-Wright, deputy mayor of the City of Fredericton, and Premier Shawn Graham.
Politics"
Yeahhhhh, I doubt that. I think I stick to my original theory. Much more plausible
One day people will start to hold these folks to account.
Clearly, it seems, restoring from back-up is not an option?
Your account has been banned until May 31, 2021. Reason: We have
banned this account for 6 months because we believe it is in violation
of our Terms of Use, specifically repeated personal attacks and off
topic/ uncivil comments. For more information, please visit:
http://cbc.ca/submissions.
Your account has been banned permanently. Reason: Your username is a violation of our Submission Guidelines, for more information please visit: http://www.cbc.ca/aboutcbc/discover/submissions.html. Your account has been blocked and all comments associated are no longer viewable by other users on our site. If you believe this has been done in error please contact
Methinks you its time for you back away from the butter tarts and ask your parents to tuck you in for the the night N'esy Pas?
But survival rate is not a good indicator as it is the result of what our preventative measures have lead to. They would be much worse without them
Perhaps thou shalt cleanse thy plate of such nonsense and take thee physicians wares?
Farwell, Adieu and a N'esy Pas to you Sir!
A Farewell, adieu and a N'esy Pas toy you!
Here is the quote
"As I have said before, the best approach is to assume that everyone may have the COVID-19 virus, and act accordingly," said Dr. Jennifer Russell, chief medical officer of health.
Plus I make 6 figures USD a year that's no excuse for me not to try to learn stuff.
Farewell, Adieu and a N'esy Pas' . You are also imagining all this.... this forum is all in your head.
They are two different viruses that share similarities.
Here are some key differences between flu and COVID-19.
COVID-19 seems to spread more easily than flu and causes more serious illnesses in SOME people. It can also take longer before people show symptoms and people can be contagious for longer.
So this is not as simple as being just 'the Flu' and the SOME people are not all are seniors, but anyone with an immune-compromised system is at greater risk than the 'Flu'
Some of the under-educated will think these risk people are not taking care of themselves and neglect there are those born with conditions.
Do I agree with the measures? perhaps, perhaps not.
My personal stand on this does not prevent what's going on the same as yours unless any of you want to become Premier? « less
I'm just in this as everyone else is regardless.
I am not sure how many times I can write COVID Complications in these posts.
And those 2000 depending on the flow of information likely through 1 fax machine.
If you are isolating, reach out to those in your community for support. People would be so willing to lend a hand to help support those who are in isolation. I know I would gladly drop off groceries and the like if I knew of anyone near by who was isolating. Your community wants to enable you to properly isolate and have all your needs still met.
"The virus doesn't move, people move it. We stop moving, the virus stop moving. The virus dies. It's that simple."
Again, thank you for sacrificing your time and for doing your part to contain the outbreak. Hopefully only a very small percent of those in isolation actually fall ill after all is said and done.
No comments:
Post a Comment