A Richmond Hill, Ont.-based exercise equipment e-commerce site, a Montreal industrial packaging manufacturer and a Toronto cosmetics maker have something in common: Their names have appeared on ransomware groups’ websites claiming to have stolen and encrypted their data.
If these businesses want their data back, they’ll have to pay a ransom. If they don’t, ransomware groups warn the data – some of which may include personal information on employees and customers – will be publicly released.
IT World Canada isn’t identifying the companies because the attacks haven’t been confirmed. But the ransomware groups involved – Conti and Babuk – aren’t known for bluffing.
Governments around the world are becoming increasingly worried about ransomware and not necessarily because attacks are increasing. Canadian statistics are lacking because ransomware attacks are under-reported, with corporate victims reluctant to publicly acknowledged being hit.
When customers ask them for help, some cybersecurity vendors gain insights into attacks. Based on that data, vendors suggest the volume of attacks has levelled off, but ransoms are climbing.
The RCMP has confirmed that it continues to see an increase in ransomware activity. Since June 2020, the new National Cybercrime Coordination Unit (NC3) has received over 1,000 requests for assistance from law enforcement partners. Of these requests, over 30 per cent related to ransomware.
As a sign of global concern, a U.S. task force featuring the RCMP, the FBI, the Secret Service and cyber experts issued a report today calling for governments to take away the anonymity of cryptocurrencies, which ransomware and other criminal groups use to support the transfer of money from victims.
Under-reporting still a massive issue
Emsisoft issued a report estimating organizations and individuals paid $18 billion last year in ransoms. Add to that the cost of time, and possibly expense, of replacing hardware and software and reputation damage to recover from a successful attack.
The company said ID Ransomware, which receives scrambled files from victims hoping the encryption can be identified, received just over half a million submissions last year.
Of those, 4,257 were from Canadians, the vast majority from organizations.
Ransomware gangs demanded over $123 million from Canadian victims last year, said the report. It isn’t known how many paid or if they negotiated a lower fee.
Because of under-reporting, Emsisoft suspects the real number of attacks and ransom demands might be four times as high.
Recovery costs have increased
Sophos issued a global survey of 5,400 IT decision-makers across 30 countries. Data from respondents suggests that the average cost to victim organizations for remediating a ransomware attack more than doubled in the last 12 months, growing from an average of $761,106 in 2020 to $1.85 million in 2021 (all figures in US dollars).
The average ransom paid in the last 12 months was $170,404 – with the highest payment reaching $3.2 million. The number of organizations that paid a ransom increased from 26 per cent in 2020 to 32 per cent this year.
However, in a significant finding, for various reasons, only eight per cent of organizations saying they paid for decryption keys managed to recover all of their data.
The federal government’s Canadian Centre for Cyber Security (CCCS) says the first modern ransomware campaign dates back to 2013. The government’s most recent warning was in the biannual National Cyber Threat Assessment issued last November, at the same time as it released a Cyber Threat Bulletin specifically on ransomware.
Yet despite seven years of warnings by cyber experts – including hardware and software suppliers used by businesses – many organizations in this country still haven’t got the message.
“We need to think about how do we encourage people to respond [to increase their cyber defences], but also to get the message out that ‘This is real, this is a threat people have been facing for a long time,’” Scott Jones, who heads the CCCS in addition to being a senior assistant deputy minister of the Defence Department, said in an interview Wednesday.
Asked why many firms don’t understand, he noted that some don’t consider themselves targets of cyber attacks, and are more worried about survival – particularly during the pandemic. Some see cybersecurity as hard, despite the free resources offered by the centre.
Most worrisome is that ransomware gangs are not only increasingly threatening organizations with the release of stolen data, but they are also widening the circle of who to pressure. The most recent examples are attempts to squeeze Apple after a ransomware gang hit Quanta Computer, one of its Taiwan-based manufacturers, and the threat by a gang to reveal police informants after compromising the Washington, D.C. Metropolitan Police Department.
”These are no longer straight attacks. They are flat-out extortion attempts in which criminals are using every bit leverage they possibly can,” said Brett Callow, a British Columbia-based threat researcher for Emsisoft.
He noted earlier this year that as part of a successful attack a ransomware gang caught the IT director of a U.S. company regularly watching porn from his office, and used the revelation of that to try to embarrass the firm.
Chester Wisniewski, a Vancouver-based principal research scientist at Sophos, recalled speaking to a Winnipeg heating and ventilation firm that admitted it was totally unprepared for a ransomware attack. It cost the company $2.4 million in remediation.
He also warned that customer data including credit card information isn’t necessarily the first target for data theft of ransomware groups. Often they start with stealing and threatening to release sensitive employee information before hunting for corporate data. His message is both staff, corporate and customer data have to be better protected.
As for the pay-no pay debate, Dave Masson, Canadian-based director of enterprise security for Darktrace knows of a Canadian firm that paid but was soon hit again as word spread among criminal gangs.
Ed Dubrovsky, managing partner at Toronto-based incident response firm Cytelligence, noted a recent increase in the average size of data exfiltrated from victim systems.
“Over the past six to 12 months, threat actors have gotten bolder,” he said in an email. “And while increasing dwell time in victim systems they also tend to exfiltrate a significant amount of data from systems. On average 200GB of data is being exfiltrated, and in some cases, multiple terabytes of data are taken.”
Threat actors are also increasing their ransom demands based on the financial information they find in systems they compromise, he said. In many cases, threat actors focus specifically on financial statements, bank account information and similar elements to identify how much cash an organization has. Ransom demands are then “tailored” to a victim specific financial situation.
“This is not a hard crime to perpetrate,” said David Shipley, CEO of security awareness training firm Beauceron Security of Fredericton, N.B. This is in part because many firms still wonder, “Why would they target me?”
Many ransomware gangs also have successfully hit one firm in an industry and then target nearby companies in the same sector.
All experts repeat this advice on what CISOs should do to lower the risk of ransomware victimization: Focus on basic cybersecurity techniques.
That means, Emsisoft’s Callow said, patch software promptly, use multifactor authentication “everywhere it can be used,” and train all employees to be cyber aware.
According to Chester Wisniewski, judging by the new Sophos survey paying a ransom is unlikely to recover encrypted data fully.
It doesn’t save any money, he added. Victim firms will still need to rebuild their infrastructure after an attack to ensure it’s been cleansed. He also stressed technology alone isn’t the solution.
A skilled IT staff is also necessary. As with any cyber attack, having good — and separately stored — data backup is vital. So is another basic, a layered defence.
David Shipley emphasized the need for solutions and employee awareness that detect phishing, the usual way ransomware attacks start. Another is closing off remote access vulnerabilities.
But he also said governments can help by giving firms financial incentives to buy improved cybersecurity solutions. After all, he said, there’s government money for digital transformation.
“Take a very deep breath and accept it’s going to happen,” says David Masson. Focus your on efforts on defence – know what valuable digital assets your organization has, where it is and who has access to it. And get good visibility into what’s happening on the network.
Scott Jones urged firms to take advantage of the free advice the Canadian Cyber Security Centre offers, particularly its Baseline Cyber Security Controls for SMBs.
He also reminded CISOs that ransomware groups aren’t using zero-day exploits but leveraging unpatched systems. Often patches are available or mitigations can be applied.
“It isn’t hopeless,” he said. “Do the basics and most attackers will move on.”