For the last 50 years, Canada has never been seen as a country likely to be attacked. Our army was dedicated to peacemaking. Even our recent support of Ukraine is unlikely to make us a target of a Russian offensive. But the new world of ransomware and cyber attacks is a new and dangerous space where Canada is increasingly vulnerable and under attack.
According to Trend Micro’s 2022 Mid-Year report, two thirds of Canadian companies are “not optimistic” about defending against ransomware in the coming year. It’s no wonder, given the other statistics in the report with regard to Canada:
- 60 per cent of organizations have been hit by a ransomware attack in the last three years
- 77 per cent of these organizations had their data encrypted
- 38 per cent of Canadian organizations had some organization within their supply chain fall victim to ransomware
- 55 per cent of supply chains have a significant portion of small and medium businesses (SMBs) – one of the most vulnerable groups, and one of those least able to defend and protect itself
According to the report, Canadian companies are being hit badly by the “steal and reveal” attacks; 66 percent have experienced data theft (exfiltration) and extortion. However, a surprisingly high number of Canadian companies have ransomware insurance and were able to file a claim as a result of an attack.
Despite paying the ransom, 60 per cent had their data leaked by the ransomware attacker.
Attack to school?
Recent trend reports have all shown that education is a key target group for ransomware. A major school board in the US took a big hit this week.
A ransomware gang that came into existence last year, the Vice Society, has been “disproportionately targeting” the education sector with ransomware attacks, according to a public advisory from the U.S. government.
On the Labour Day weekend, they attacked the Los Angeles Unified School District, the second-largest public school district in the United States. Alberto Carvalho, superintendent of the board, announced, “It does appear at this point that this incident originated beyond our borders,” though he did not name any foreign actor or country.
School districts are an exceptionally easy target. They have a widely dispersed attack surface, are often squeezed for resources, and are unlikely to attract and hold top cyber talent. They also have a veritable trove of information about something everyone considers of highest value – our children.
Distributed Denial of Service (DDoS) attacks have become a key part of the ransomware toolkit. Now it appears that these groups are weaponizing ransomware attack techniques not to extort money, but with a new tactic relating to the Russia Ukraine war.
A group referred to as Killnet has executed a massive attack on Japan, hitting government services ranging from online tax portals to transportation systems. They also attacked Mixi, a Japanese social media service. This time, the ransom is not in dollars – it’s extortion aimed at punishing Japan’s support for Ukraine.
Killnet started operation in February of 2022 according to reports from security researchers at Check Point Canada. Since that time, the group has attacked more than a dozen countries, including the US, Italy, Germany, Lithuania and Finland.
The group specializes in massive DDoS attacks on governments and major corporations, and claims they have a botnet of 4.5 million bots.
Other groups are using DDoS attacks on Russian targets. The website Bleeping Computer reported an attack on the servers used to control Cobalt Strike Beacon payloads on compromised devices. These payloads are used to move laterally and spread an attack across a wide range of devices. Many of these servers were thought to be run by the Conti ransomware gang, which was believed to have disbanded this year, but is most likely to have simply dispersed to another or any number of other gangs.
The intent of the attackers is clear. They are striking back at a group or group that they believe are supporting Russia. That was made abundantly clear with their username “Stop Russia” and changing the computer name on the various servers used to mount the attack, using names like “Stop the war!”, “15000+ dead Russian soldiers!” and “Be a Russian patriot.”
For countries like Canada and US who have been active supporters of Ukraine, there is an obvious risk. Even for those who are not in the “line of fire”, Sergey Shykevich from Check Point Software has an ominous warning:
“After the conflict, whatever the outcome, these APT groups, hacktivists and individuals are not just going to disappear. Instead, they will turn their newfound expertise and tooling toward fresh targets unleashing a tsunami of cyberattacks across the globe. We have already started to see early warning signs of this with attacks on NATO partners, as well as on those countries who have come to Ukraine’s aid, increasing in both frequency and intensity. This conflict has seen cyber activity change the face of warfare forever.”