Ransomware rising
Date: November 22, 2021Source: Computer Crime Research Center
By:
The page shows various text-based posts with accompanying dates, and in some cases links to click on, each containing files leaked from different attacks by the criminals in question.
In some cases, the attackers include a link to a chat box that can be used to communicate with them directly.
They never take long to reply, but they’re not very forthcoming with their answers.
An ominous message posted to the RMOW website after the attack claimed that 800 gigabytes of information was obtained in the April 28 attack on the RMOW.
The folder name is noteworthy.
“Publish all trash which we does not need,” the criminals say in one chat session, in stunted English.
“All other data was sold.”
Pressed on what exactly they obtained from Whistler, and what was sold, they reply simply: “We do not discuss auction details sorry.”
Experts say theres no way to say for sure if theyre telling the truth about selling Whistlerites data at auction (they are criminals, after all).
“These are criminal organizations. They don’t always tell the truth,” says Brett Callow, threat analyst with Emsisoft, a cyber security company with a particular expertise in ransomware.
“There are cases where they will claim to have more data than they actually do. There are also, however, cases where they have exactly what they claim to have, so there really is no way of knowing."
The link to the dark web site wasn’t live on the RMOW’s municipal website for long on the morning of April 28, but it was up long enough to be screenshotted and posted to two popular Facebook groups??”posts that can still be found today, link and all.
But by their own admission, the hackers??”believed to be a group known as HelloKitty??”didn’t get much uptake on their site specific to Whistler’s data.
“ah 3-5 in day… this blog is not so popular…” they admit in one back and forth.
It’s likely that most Whistlerites don’t know how to access the site on the dark web, I say.
“Do they need it? They just live,” the hacker says, getting oddly philosophical, before adding: “live with stupid government.”
In the view of the criminals, the RMOW is “stupid” for not engaging with them, and paying their ransom demand (the amount of which they declined to disclose in chat)??”but experts say that is absolutely the right move in these situations.
“[Paying the ransom] doesn’t guarantee they will get their data back, it doesn’t guarantee that the criminals will not misuse whatever data was stolen, and of course it simply incentivizes the cyber crime,” Callow says.
In a release on July 8, the RMOW confirmed it had not engaged with, or sent any payment to, the hackers.
In the days and weeks following the appearance of the RMOW’s data online, other victims follow: an investment firm, a network provider, a skincare company.
The organizations appearing on the group’s news page don’t show the complete extent of their crimes, they say??”just those who refuse to talk to them.
According to a recent survey of 510 cyber security decision-makers by the Canadian Internet Registration Authority, almost one in five organizations were victim of a successful ransomware attack in the past 12 months. Of that group, 69 per cent said they paid the ransom demands.
In June, the leak site went offline for good while the RMOW was left to deal with the fallout.
A TORPEDO TO THE HULL
The attack on Whistler did major damage.
Municipal services were taken offline immediately, and stayed down for weeks.
The municipality??”already dealing with the stress and strain of the COVID-19 pandemic for months??”was left reeling.
“We managed to keep the boat afloat [through COVID], and then we took another torpedo right into the hull,” said Councillor John Grills, in describing the attack.
Email and phone services were out of commission, leaving staff and council to communicate solely by text.
Staff at municipal hall were forced to revert to old paper processes, and an already overworked planning department was further buried as the broader Whistler community and all of its expectations for service??”carried on around it.
“When I think about the cyber attack and the pandemic, I would say the cyber attack was worse than the pandemic,” says Coun. Ralph Forsyth, who sits on the RMOW’s Technology Advisory Committee (TAC).
“Because the pandemic, it was like, OK, well everyone is experiencing this … whereas the cyber attack was like, man, it’s just us??”what are we doing? How do we get out of this?”
The answer was a complete rebuild of the municipal network “from scratch or near-scratch to ensure resiliency against known future cyber threats going forward,” the municipality said in a June 14 release.
The total cost??”both direct and indirect, as well as how much will be covered by insurance, and how much will fall to taxpayers is still not known as of this writing.
On Nov. 12, the RMOW said total costs are still being calculated, but “so far, the bulk of costs … have been covered by the RMOW’s insurance.”
A Dec. 22 presentation to the TAC “will entail an overview of the key findings by the cybersecurity experts as well as best practices and learnings to share with the member representatives going forward,” a spokesperson said.
In the June 14 release, the RMOW said, “experts leading the investigation believe that access to the RMOW’s network was the result of a zero-day vulnerability.”
Pique reported on the zero-day vulnerability (an exploit either previously unknown to the developer or known and a patch had not been developed for it yet) found in SonicWall VPN, a service used by the RMOW, on May 13.
Cyber security experts from a firm called FireEye documented the vulnerability in a blog post on April 29, noting that a patch was released to fix the problem in February.
On Nov. 12, the RMOW confirmed it installed the patch in mid February.
According to Richard Rogerson, founder and managing partner of Ontario-based cybersecurity firm Packetlabs, VPNs, or virtual private networks, have left many organizations ripe for the picking in the early days of the COVID era.
“What we’ve seen is, in the rush to work from home, we’ve left a lot of our VPNs open,” he says.
“A lot of organizations, in the rush to stay open and to enable the remote workforce, they’re leaving the door open to attackers.”
As of Nov. 12, 69 of 82 services disrupted by the attack were fully recovered, the RMOW said.
“The remaining nine services, however, primarily consist of software for which there is no current support or security updates being provided,” a spokesperson said.
“These services will need to be replaced with current software equivalents with accompanying security updates and support in order to be reestablished.”
The RMOW expects to move from “recovery” mode back to “regular operational” mode by the end of November.
A GROWING EPIDEMIC
But Whistler is not alone??”ransomware attacks have proliferated in recent years, with more municipalities, businesses, educational institutions and even hospitals falling victim every day.
According to a study by Emsisoft, ransomware caused hundreds of billions of dollars in economic damage in 2020 alone, while the average ransom demand grew by more than 80 per cent.
So far in 2021, “unfortunately, the ransomware problem isn’t going away and attacks are happening at much the same rate as ever,” Callow says on Nov. 1. “In the last couple of days, the Toronto Transit Commission has been hit and the (Newfoundland and Labrador) health system is experiencing a cyber attack which sounds very much like ransomware.”
One cybersecurity expert told CBC News that the attack on the Newfoundland and Labrador health system may be the worst in Canadian history, and has implications for national security.
The list of victims is long and growing.
A ransomware attack on the City of Saint John, N.B. in late 2020 in which the attackers reportedly asked for between $17 and $20 million worth of Bitcoin??”cost the city $2.9 million.
Insurance covered most of the costs, but taxpayers were on the hook for $400,000.
The Regional District of Okanagan-Similkameen was similarly targeted in the summer of 2020, though the district says the attempted breach caused a system crash, booting the attacker before sensitive data could be taken hostage.
(Pique requested interviews with both governments; both declined comment.)
According to Rogerson, whose company provides “ethical hacking” services like penetration testing to ensure robust security measures are in place, the rise in ransomware can be traced back, in part, to insurance companies.
“Part of the ransomware epidemic that we have is that a lot of it has been fuelled by insurance. It’s the cheapest path forward … The quickest path to recover your data is just buying the key that unlocks it,”
he says.
...
Next
Add comment
Email to a Friend
