'Definite uptick': Global wave of ransomware attacks hitting Canadian organizations

When a Toronto dentist learned last week that his office's computer network had been attacked with ransomware, it felt like a "violation." 

"It was terrible," he said. "My wife was even nervous about sleeping at home."

Staff were locked out of digital files for at least a day and had to take notes on paper. The dentist said files on 19 out of the clinic's 22 computers became encrypted. 

CBC News has agreed not to identify the dentist to avoid making his clinic a potential target again.

A message left on the infected machines read "Ryuk," identifying the ransomware as the same strain that recently hit three Ontario hospitals and health-care facilities in Alabama and Australia.

"We were really lucky," the Toronto dentist said. "At least we had a good backup."

Last Tuesday, patients started receiving so-called phishing emails — messages meant to trick users into giving hackers access to the recipient's computer or data. 

Ritchie B. Tongo/EPA

Ransomware typically encrypts files, with attackers demanding a digital currency payment from victims in order to release the data.

Ryuk, a form of ransomware first reported in 2018, allows hackers to view a computer's files and gather information for several weeks, unbeknownst to its victims.

'Definite uptick'

The Toronto dental clinic is just the latest target in a series of ransomware attacks hitting Canadian networks, particularly in the health-care field. A string of the Ontario municipalities — including Woodstock, Stratford and The Nation — have previously fallen victim to ransomware.

Until recently, Canadians seemed "to have escaped" a wave of global ransomware attacks, said B.C.-based cybersecurity expert Brett Callow, with the global software firm Emsisoft. 

"Although that seems to have been changing in recent weeks," he said. "There has been a definite uptick."

A recent survey of Canadian organizations found the vast majority (88 per cent) experienced a data breach over the last 12 months. The research by the U.S.-based cybersecurity firm Carbon Black also found 82 per cent of Canadian companies surveyed reported an "increase in overall attack volume."

Both figures represent a slight increase over Carbon Black's previous Canadian threat report, released in March.

Ransomware, however, only accounted for 14 per cent of data breaches in the recent survey.

Submitted by clinic

"The criminal syndicates of the world … are laser-focused on targeting hospitals and municipalities' emergency management systems," because of their importance in critical situations, said Tom Kellerman, Carbon Black's chief cybersecurity officer.

"[Criminals] recognize that ransomware is far more impactful in these types of organizations due to their mission."

The FBI also issued a warning recently, alerting U.S. organizations to the threat of "high-impact" ransomware. The agency said while the incidence of broad ransomware campaigns has declined since 2018, "losses from ransomware attacks have increased significantly."

Hacker speaks

The hacker who targeted the Toronto dental clinic told CBC News he was not involved in the recent cyberattacks on the Ontario hospitals. CBC News briefly exchanged messages with him using the email address provided to the clinic.

The hacker initially told CBC that the cost to decrypt the dental office's files would be nine bitcoins (nearly $100,000), but later increased the price to 15 bitcoins ($165,000). 

"To confirm our honest intentions," he wrote, "we will unlock two files for free."

The hacker — whose email address identified him as "Samuels Marques" — declined to say where he was located, or how much money he had made from Ryuk attacks.

Cybersecurity researchers believe the malicious software was likely developed in Russia.

The widespread nature of Ryuk attacks may stem from the code's availability on the dark web, a shadowy part of the internet not found on search engines that is difficult for everyday users to access.

The malware's creators are leasing it online for about $200 US, plus a monthly "maintenance fee," which ensures the code is updated with the latest data to circumvent security technology, said Kellerman

He said the malware's creators provide it to other hackers so Ryuk can keep gathering information on computer system vulnerabilities, or "backdoors," around the world.

"They're outsourcing their colonization of infrastructure to other criminals," he said.

It's unclear why Canadian firms are increasingly being targeted, Callow said, but he has a theory.

"It could simply be that the bad actors are broadening their horizons," he said. "They've had a lot of success in the U.S. and now they're trying their luck in other areas."

Free fix?

The RCMP discourages victims from paying ransom.

In many cases, organizations with small information technology departments may hire outside firms for help regaining access to files. An online service, likely little-known to Canadians, can also sometimes do the trick for free.

The No More Ransom Project — an initiative involving the European Union's law enforcement agency, Europol — offers tools on its website to unlock files encrypted with malware. The service is available to users around the world, including in Canada.

New Zealand-based Emsisoft acts as a project partner, lending decryption tools to the initiative.

Shutterstock

Callow said Emsisoft is mainly an anti-virus company, but it provides ransomware-fighting tools as a "public service."

He stresses though that Ryuk often causes damage to files it encrypts, making them irrecoverable. "So data loss is very common in these cases, even if the ransom is paid."

But for "the three to five per cent [of cases] in which we can help," Callow said, "our services are provided at no cost whatsoever."

The Toronto dentist said his clinic didn't pay to regain its files, and despite the messages exchanged with CBC News, no specific amount was demanded. But he said if the price were right, he wouldn't hesitate to pay.

"If someone said to me, 'Pay $20,000 and you get your files back,' I'd give them the money," he said. "Because I need my files."

The clinic is now taking steps, such as reinforcing firewalls and issuing new computer usage guidelines for staff, he said.

His message for others? Ransomware is a "real issue … and it's bound to get worse."