Computer Crime Research Center


Ransomware rising

Date: November 22, 2021
Source: Computer Crime Research Center
By: Braden Dupuis

... unlocks it,”

he says.

“And that’s the struggle, is now our insurance companies are funding organized crime.”

Interview requests to the Municipal Insurance Association of BC were not answered before Pique’s deadline.

Over the past decade, Packetlabs has worked with hundreds of different organizations to shore up their security, including governments at all levels.

What stands out to Rogerson is the lack of funding for proper security.

“We’ve spoken to so many in the municipal government space that can’t get funding for a pen (penetration) test, and a pen test is where we would be able to discover the vulnerabilities in their environment,” he says.

“So a lot of the municipalities are just sitting ducks.”

Asked what kind of security measures were in place prior to the attack, and if it took proactive measures like penetration testing, the RMOW said on Nov. 12 that it was proactive “as per industry best practices.”

In the case of Saint John, the $3-million price tag likely could have been averted with a $25,000 to $50,000 pen test, Rogerson says.

“The insurance company paid for a lot of that, but it’s like we’re playing chicken,” he says.

“We’re on the road racing towards another car and waiting for something to happen, hoping it doesn’t, but we’re not proactively taking a stance to avoid something like this from happening??”we’re just waiting.”

It should be pointed out that companies like Rogerson’s stand to profit from proactive cyber security measures, but he also has a point: spending more on security would keep insurance companies out of the equation, and in turn funnel fewer funds to organized crime.

But for many municipalities across Canada, the funding simply isn’t there.

The Canadian government has programs to assist business with cyber security, Rogerson says, adding that the same assistance should be provided to local governments.

“Let’s assess our own municipalities with the same thing we’re recommending small, medium and large businesses to do; and not to say that that isn’t happening, but I don’t think it’s consistently applied across all municipalities,” Rogerson says.

“There’s certain municipalities that have a more significant budget, but there needs to be some provincial or federal oversight to ensure that we’re doing a lot of the right things, and today I don’t think that that is the case.”

Though the page run by the criminals responsible for Whistler’s data breach went offline in June, the criminals themselves remain active.

On Oct. 28, the FBI issued a release about the HelloKitty group, noting that they were first observed in January 2021, and are known to exploit vulnerabilities in SonicWall products.

The criminals “aggressively apply pressure to victims typically using the double extortion technique,” the FBI said. (The double extortion tactic involves stealing information and encrypting it before demanding payment for decryption.)

“In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website.”

HelloKitty actors demand payment in Bitcoin “that appear tailored to each victim, commensurate with their assessed ability to pay it,” the release continued.

“If no ransom is paid, the threat actors will post victim data to [the dark web] or sell it to a third-party data broker.”

Callow and Emsisoft have continued to track the group’s activities, and they “do not seem to be running a leak site,” he says.

“That said, data they obtained in another incident ended up on another gang’s leak site, so it seems they have working relationships with other cybercriminals.”

Further, certain groups seem to be selling stolen data on third-party auction sites.

“Why release it for free when you can make some money from it? So it’s possible Whistler’s info has been sold somewhere and just not noticed. Impossible to say.”

The value of a credit card on the black market is about $4 to $6, Rogerson says. But paired with more identifying info, the cost goes up.

“It would be a lot more valuable, because for the attacker, they can make better use of it,” he says, noting that compromised credit cards are eventually flagged as such, becoming worthless.

“Whereas if they have enough information to get a new credit card, well that’s going to be more valuable to the attacker.”

While the criminals could very well be lying about having sold Whistler’s data, it’s better to be safe than sorry.

The public should remain vigilant, Rogerson says, and review their financial statements and credit card statements regularly.

“They should also be reviewing Equifax-type reports to see if there was any new credit-card products … Having enough information to really forge your identity, they may be getting to the point where they could take out CERB in your name, right?” he says. (As of August 2020, the Canadian Anti-Fraud Centre said there were more than 700 cases of identity theft linked to the Canada Emergency Response Benefit, or CERB.)

“If it has been sold??”and who knows if that is the case??”someone bought it for a purpose. There’s a reason behind it; they want to make use of that information.”


More than six months after the attack, the RMOW has told Whistlerites very little about its extent.

According to Callow, it’s not very often that the full details of such attacks ever become public.

In August, the RMOW sent a letter to all former employees stating something Pique reported three months earlier: the personal drives of 38 employees were leaked on the dark web after a ransomware attack in late April.

The letter was shared with Pique by several former employees.

“We can now confirm that HR related files for all current and former employees (who were employed up to the date of incident) were on those P-drives,” the letter read, in part.

When Pique reported on the leak in May, the RMOW launched a lawsuit against the paper, seeking unsuccessfully to restrict what Pique could publish about the ransomware attack. The RMOW argued that it was seeking to protect the privacy of its staff, and alleged in its court filings that it did not have detailed knowledge of the data available on the dark web.

In the BC Supreme Court on May 21, RMOW lawyer Paul Hildebrand argued certain information published by Pique might “whet [the] appetite” of would-be criminals, who might then seek out the information on the dark web.

“We just don’t want information on the internet that might provide an incentive and encouragement to others to go try and find this information…” he said in court.

Supreme Court Justice Sandra Wilkinson declined the RMOW’s request for a temporary order restricting the newsmagazine’s coverage. Referring to the injunctive relief the RMOW requested, Wilkinson said: “I have serious concerns about the precedent that this sets.”

The RMOW walked away from the lawsuit in July.

Since Day 1, local officials have said repeatedly “there is no evidence” that the private information of local residents and businesses was compromised (outside of the admission that employee files had been compromised in the letter sent out in August).

That may well be true, but cyber security experts have a phrase they like to use when officials make such claims: absence of evidence isn’t evidence of absence.

It could be that the RMOW’s servers were so mangled by the attack that it’s impossible for them to definitively state personal data was stolen, experts say.

Time and again, representatives from other organizations have made the same claim only to be proven wrong down the line.

Like when eHealth Saskatchewan’s servers were hit with ransomware in early January 2020, and officials confidently stated there was “no evidence” confidential patient info was accessed… until the following month, when it discovered some of its files had been sent to suspicious IP addresses in Europe.

Or when officials in Prince Edward Island reassured the public they had “no reason to believe” personal information was impacted in a Feb. 2020 malware attack, only for said personal information to show up on a ransomware gang’s leak site in March.

Or when the City of Torrance, Calif., issued a statement saying “public personal data has not been impacted” following a March 2020 cyber attack before having to apologize and walk back the statement when leaks proved otherwise.

In Whistler’s case, “if they don’t have sufficient logging, they’re not going to have evidence to say that something has happened, and the real challenge here is that absence of evidence is not evidence of absence,” Rogerson says.

“So just because you didn’t find something is there didn’t mean there wasn’t something to be found. It just means you weren’t capable of even seeing it.”

Pique submitted an expansive Freedom of Information request to the RMOW in August, seeking correspondence related to the attack and details about the legal action against the paper (as well as how much the legal action...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo