When Vicky Buchan woke up for work at 3 a.m. on Monday, cyber thieves had already transferred $3,000 out of her account.
Because she's made online payments to the City of Saint John, she believes she's part of the recent cyberattack on the city.
Although the money isn't back in her account yet, her bank assures her that it will be within three to five days. If she hadn't caught it so quickly, she was told, it could have taken longer to get it back — if she got it back at all.
And she wouldn't have caught it so quickly if she hadn't gotten up for the early shift at the gym she owns, Port City Training and Fitness.
Buchan believes the cyber thieves deliberately acted in the middle of the night.
"Oh, 100 per cent deliberate. It's the best likelihood that you're going to be asleep, so that they are long gone by the time you get up and hopefully they get away with it, right?"
At 1 a.m., she received a message from her bank, alerting her that the security questions had been changed. By the time she got up two hours later, the money had been transferred from her business account to her chequing account and then etransferred elsewhere.
Buchan said her bank told her that because she caught it so quickly, the money was still being "held" and hadn't been transferred to the thieves' account.
But while the timing is suspicious, it may be a coincidence, say cyber security experts.
They say Saint John's attack appears to be a ransomware attack.
Essentially, someone breaks into a computer system, encrypts all of the data and then offers to sell you a key to unlock all of your data, explains Mike Smit, an associate professor in Dalhousie University's school of information management.
But Buchan's experience is a good reminder for people to check their accounts often, said Smit.
Brett Callow, a threat analyst with the British Columbia firm Emsisoft, agrees that Saint John is likely dealing with ransomware.
"Based on the limited amount of information made available, it certainly appears to have all the hallmarks of a ransomware attack," he said
"It really is the worst possible time for a city to be hobbled by ransomware. The need for staff to be able to work remotely and for the public to be able to access services remotely makes it critical that IT systems and online portals are available."
City officials not talking
City officials, meanwhile, aren't talking about the cyberattack. Several calls to various city departments, including to Mayor Don Darling, went unanswered or unreturned on Monday.
CBC News was told the mayor would not be granting any interviews and that any updates would be issued through social media.
On Monday at about 5:30 p.m., the city tweeted to say it "has been working around the clock to contain the attack and mitigate any current and future risks to the municipality.
The response was immediate, and remains in the best interest of the City and residents. Pertinent updates will continue to be provided to the media and public as more information becomes available, the city said.
The city also said it wants to ensure it doesn't release too much information, "including information on the effectiveness of the attack, the systems affected, and success of our containment efforts.
"Providing this level of detail would be beneficial to the attacker as they could attempt further attacks; it would also provide valuable information to potential copycat hackers; and could compromise investigative efforts."
The city said it continues to work with a number of partners "to help manage any risks."
Not us, says parking app
The online parking app, HotSpot was quick to separate itself from the recent cyberattack. In a Twitter post sent Monday morning, the company said, "The cyberattack that has impacted the City of Saint John has not compromised HotSpot's customer information or data."
In December 2018, another cyber breach exposed the names and credit card information of thousands of the city's parking customers.
Smit said cyberattacks are a profitable business. He said tracing payments through bitcoins have revealed hundreds of millions of dollars in ill-gotten gains for cyber criminals last year.
Although there are many players internationally, he said such schemes usually roll out "pretty consistently."
They'll identify a target and then look up all of the publicly available email addresses.
"And they'll run some fairly sophisticated, targeted phishing attack, where they try to get the receiver of the email to click a link in that email."
Clicking on that link, compromises the computer, and alerts someone that an entry has been made.
"At that point, a human takes over and accesses that system and just starts to poke around."
Smit said the person who takes over starts looking for passwords and possible entry points into bigger and more valuable targets.
Most often, the process stops there, "but sometimes they get lucky," said Smit.
Sometimes they find access into bigger systems. Once there, the intruders find out what's available and usually run in one of two directions.
They can either go after personal financial information and try to steal smaller sums, or, usually in cases of larger organizations or governments, they can shut the whole system down and go after a ransom.
Smit said organizations usually find out that they've been attacked when their systems go down or they find a ransom note.
Andrei Barysevich, CEO of Gemini Advisory, a Florida-based cyber intelligence company, said the ransom demanded of governments usually falls in the range of $50,000 to $250,000 US, although there have been some as high as several million.
He said cyber attackers want to make the amount tempting for the victims, so the amount is tailored to the specific circumstances of the organization targeted.
Barysevich said cyber criminals have been busy during the pandemic and may have found more success with so many employees working from home.
He said it's a "very common attack vector" — to target people on their personal computers and then try to gain access to the employer's system.