Front Burner - Digital stick-ups: The evolution of ransomware
Episode Date: November 8, 2019Ransomware attacks are changing. Cyber criminals are learning to target the most vulnerable systems including our municipalities, schools and hospitals. Today on Front Burner, tech journalist and frie...nd of the podcast Matt Braga tells us why just changing passwords isn’t enough to keep critical data and services safe from cyber crime.
Transcript
Discussion (0)
In the Dragon's Den, a simple pitch can lead to a life-changing connection.
Watch new episodes of Dragon's Den free on CBC Gem. Brought to you in part by National
Angel Capital Organization, empowering Canada's entrepreneurs through angel
investment and industry connections. This is a CBC Podcast.
Hello, I'm Jamie Pusso.
So here is a message that you do not want popping up on your computer screen.
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
But that's the message that appeared when the government of Nunavut was hit with a ransomware attack last weekend. Ransomware is this nasty type of cyber attack that infects your computer and spreads through its network, locking you out of all your
own files. Then the hackers demand payment in exchange for basically the key. The idea is
someone working overnight on Friday night
clicked an ad or a link that they shouldn't have.
And now this.
That's my colleague, Sarah Frizzell.
She's a reporter in Iqaluit.
And I called her up to find out
what's being held ransom in Nunavut
and how that territory is dealing with the problem.
We know that pretty much all of the documents,
the PDFs, the Word documents that the government uses are encrypted right now.
And to kind of contain the virus, the government has shut down all of their communication systems.
Without those files or those communication systems, trying to find ways to give Nunavut the public services they need.
But it's kind of this split where if you're just working a desk job and your whole job is on your computer, you're folding paper airplanes.
No, just there isn't anything you can do.
You're not allowed to access your computer.
You don't have access to your voicemail or email. It is really going back to paper.
And that could make life difficult for ordinary people in Nunavut, too.
One of the things that has been a big concern for people is social assistance. So nearly 15,000 people in the territory are on social assistance.
And the government has started handing out food vouchers for this week
for people who are really desperately in need. But that could become a very pressing problem
very soon if they can't find a way to get paper checks out and those systems sorted out.
The consequences of this ransomware could reach into realms you wouldn't even expect.
For example, students' report cards might even be delayed.
Yeah, the schools don't have access to internet.
I was talking to a teacher friend of mine who she has been creating resources for years for her students,
and she's very worried that all those years of work are just gone.
The government is refusing to cave to the ransom demand,
instead hoping they can get around the encryption by restoring their data and systems for backups.
But there is a chance that the backups could be compromised as well.
If that data is corrupted, I really don't know where we're at.
So it remains to be seen exactly when and how the government of Nunavut will be back to business as usual.
Today, I'm talking to tech journalist and friend of the pod, Matt Brega,
about why we're seeing random places like municipalities and universities
get hit with these kind of attacks and what can actually be done to stop them. This is FrontBurner.
Matt Brega, hi. Hi, Jamie. So happy to have you here. Happy to be here. Last time you were here,
I wasn't even around. I know. I am back on the other side of the chair. Wonderful. Okay, okay,
let's talk about ransomware. Does what's happening in Nunavut
with this ransomware situation sound a bit familiar to you? This all feels like deja vu.
Yes. We have heard lots and lots of examples of this over the past couple of years,
affecting hospitals, libraries, schools, local governments. Tons of public institutions have
been hit by this over the years. Some people might remember the University of Calgary was hit by one of these infections back in 2016.
They ended up paying a $20,000 ransom to successfully gain access back to their files.
We made the decision to pay the ransom because we do world-class research here,
and we did not want to be in a position that we had exhausted the option to get people's potential life
work back in the future.
The city of Stratford earlier this year paid $75,000.
They were successful.
I think we're one of many sitting ducks for cyber terrorists.
They're not really interested in the information.
They're interested in disrupting your ability to function, and that will allow them to get
money.
Wasaga Beach had to pay $35,000 last year.
And then there's been other examples as well, right, where also this year CBC had done a story in October looking at some hospitals in Ontario that had been hit.
Surgeries and other treatments have been disrupted since a ransomware attack took down their computer systems.
Toronto's Michael Guerin Hospital, they didn't end up paying and they were able to restore
their files because they had backups and other means. And I want to talk about that with you
in a minute. Yeah. I mean, city of Baltimore, right? The city of Baltimore. This is a big
news story, right? I mean, the city was really its day to day operations were disrupted in a
really big way. People were having trouble paying their debt payments to the city.
Email systems going down within the police
department. For two days, city employees came to work not knowing what was going on, including
council people. They decided not to pay in the end and decided to take their chances trying to
restore those systems the best they could. The list really does go on. And I think at this point,
you could pretty much Google the name of any town, city, province with ransomware on the end of it and find some example of that taking place.
Cyber attacks, ransom attacks are becoming so prevalent that it's the old adage of the two things you want to avoid are death and taxes is becoming the three things are death, taxes and the cyber attack.
Here's the question I have for you.
Why is it that all of these public institutions are being hit?
Like, these are not mega corporations here, right?
Like, why the city of Baltimore, University of Calgary, and not, like, RBC?
Sure. So for the last couple of years, a lot of these attacks have basically been crimes
of opportunity. So the way that the operators of these ransomware campaigns work is they
basically just kind of spray and pray. So they send out tons of phishing emails to tons of
organizations and hope that somebody clicks or they scan the Internet looking for vulnerable
computers that they can then slip their malicious payloads into.
And they're just doing this en masse and discriminately.
So it's like a really wide net.
They're casting a really wide net.
And the reason why historically a lot of public institutions have been caught in this net, have been ensnared by these attempts,
is because when you compare public institutions to large corporations, which have tons of resources,
and in theory tons of resources and in theory,
tons of resources, tons of money, big IT staffs, they're beholden to investors. They want to make
sure that they are protecting their bottom line. They are putting in a lot of work and a lot of
effort to have protections in place that prevent these really kind of low hanging fruit type of
attacks from disrupting their company operations. When you look at public institutions, which in some cases don't have as much money, might not have such a large number
of people on staff, might be running outdated software for all types of reasons.
Might not have like a super robust IT department.
No. And there's cases where you have hospitals and medical practitioners running outdated
software. It's because they know it's reliable. They know it's known to work. They don't want to sort of introduce unforeseen consequences by updating software,
applying patches, doing things that might put patients and operations at risk. I mean,
it's the same thing with a lot of other organizations as well, like schools and
hospitals. We've heard cases where schools have been using the same computer from the 1980s to
run their, you know, their AC and heating systems.
And that's just not something they've ever updated because they don't need to.
It works fine.
Why spend the money on something that's just going to require perhaps more maintenance,
more knowledge, more know-how, on and on and on.
So that is part of the reason why these organizations have been, I think, targeted in the past,
perhaps a little bit more than some of the big multinational corporations,
not to say that they've been exempt, certainly.
What's interesting, though, is that in the past couple of years, there has been a bit
of a shift.
So while in the past you had attackers really trying to cast that wide net and seeing who
they could catch.
A lot of them have realized that you can actually get pretty big payouts from some of these organizations and some of these companies,
especially in cases where you are hitting organizations that are dealing with life and death scenarios, mission critical stuff, stuff where you really can't stomach much of a disruption to the work
that you're doing. Hospital workers were locked out of some patient data and forced to transcribe
records on paper by hand. It's caused delays for patients and headaches for staff. So the FBI
actually put out an advisory in October called High Impact Ransomware Attacks, basically warning
people there weren't any specifics. They weren't pointing to any specific campaigns.
But they were saying that since the beginning of last year, they've actually seen a decline
in those really wide net kind of like spray and pray type attacks and an increase in more
sort of targeted, high value, big payout types of attacks as well.
And so I think that's also part of the reason why
you're seeing more of these attacks hitting local governments, hitting hospitals, hitting schools,
because these are organizations where disruption is not a good thing.
Right. So they could also be targeting these places for that reason.
You're seeing a bit of a shift as well. So I think it's also it's a little bit of both. You
have sort of crimes of opportunity, but also attackers realizing that there actually can be a bit of a payoff for a variety of reasons that we can get into.
But we're increasingly seeing more organizations, more companies that are willing to pay because when they compare the cost of the ransom with the cost of the downtime, the cost of having to spend all of that labor and all of that time to wipe computers and reinstall things or
maybe buy new devices or maybe set up new systems. And it just goes on and on and on. There's lost
revenue costs that you factor in. And so a lot of organizations, too, I think, are weighing that
versus, well, they're only asking for $30,000 and deciding it makes more sense to pay that off.
Okay, so let's talk about the options that you have if you're held hostage by this ransomware, right? You already alluded to what feels like two solutions here.
The first is you pay. I'm the city of Stratford. I pay $75,000. I think they paid in Bitcoin.
And that's option one. Option two is you like try to figure out how to build your system
back together with like backups and stuff. So tell me
more about this. This is exactly the situation that the Nunavut government is facing and a lot
of other organizations as well, where the attackers are banking on the fact that you're not going to
have a backup, that you're not going to have copies of your files that you can restore or
gain access to. But in a lot of cases, organizations do. And so then the task basically becomes,
But in a lot of cases, organizations do. And so then the task basically becomes, where are the backups located? How quickly can we restore the files from them? What is the integrity of the backup? So there's cases where companies and organizations think that they've been backing up their files. And then when they go to actually restore them, they find that, oh, actually, the backups are corrupted or we're missing things or things weren't up to date. Maybe you only back things up once a week or at the end of every night,
and then you're missing stuff that you did earlier in the day or earlier that week.
There's all of these questions that you basically have to run through
when you are trying to think about whether you can even go the backup route
and just easily restore things.
And I think it's important to keep in mind as well that if you were just an individual
and you were hit with one of these things,
maybe you have a Mac or a Windows computer, and you can just use a time machine backup or plug in your external hard drive.
Maybe you store everything in Dropbox or in Google or in iCloud. It becomes perhaps a little
bit easier for you to restore those things. But if you are a large organization or a large business,
there's a lot more complexity involved. There might be a lot more labor and time involved.
A lot of money.
A lot of money. Because again, if you don't have the resources or the labor or the people in house
to do all of this and to do it quickly as well, because you have to remember, too, that in a lot
of these cases, there is a bit of a timer running. There is a countdown where these attackers are
basically saying, if you don't pay by this point in time, we're going to throw away the key that
we've used to lock all your files. And so if you're not damn sure that you're able to get your files back before that clock runs out,
and then you decide that you want to actually pay them after all, you might not even be able to do that.
So there's a lot of stress.
I don't envy the people who are in this situation.
In the Dragon's Den, a simple pitch can lead to a life-changing connection.
Watch new episodes of Dragon's Den free on CBC Gem. Brought to you in part by National Angel Capital Organization.
Empowering Canada's entrepreneurs through angel investment and industry connections.
Talking about these hackers, right, for a second.
Sure.
I know you were saying there are some examples of them not restoring the system,
even if the ransom is paid.
But it does also sound like a lot of the time they do restore the system.
This is like a business for them.
One thing I thought was kind of funny about the Nunavut situation
was that the ransom note actually included an email being like, any questions?
They have a robust customer support system set up in a lot of these cases.
Yeah, it's something that we've seen more of as these attacks have evolved over time, where I think some of the early examples basically just sent you a Bitcoin address and said, go send Bitcoin here.
And people would get these messages and go, I don't know what Bitcoin is. I don't know how to send Bitcoin. And over time, we've seen these attacks evolve to
include lengthy how to guides to how to buy Bitcoin. And here's where you go for Bitcoin.
And if you have questions, there's a chat functionality or you can email us or you can
ask us questions. It's it's quite robust, I guess you would say, to the point that you mentioned, where I think in some cases these actors have realized that this can be quite lucrative.
In particular, I want to draw your attention back to the University of Calgary example from a couple of years ago where they paid $20,000.
Because in a lot of cases, these attacks happen and the people responsible basically go off into the sunset or they go off into the darkness and they are never caught.
They are never prosecuted.
Who knows what country they're in?
Yeah, exactly.
We're talking about Bitcoin.
The reason why people use that is because it's untraceable.
Yeah, it's very, very difficult to trace.
People are often hiding behind a lot of anonymity services that make it difficult to trace this. But in the case of the Calgary ransomware attack, a couple of years later,
in 2018, the FBI actually did identify two men, two Iranian men who were responsible for
not only this attack, but quite a number of similar attacks as well. It was called the Sam Sam.
The defendants allegedly hijacked victims' computers and shut them down until the victims
paid a ransom. Just to give you a sense, because we're talking about how lucrative this can be as a business. In this case, the FBI actually estimated that they
received at least six million dollars U.S. and caused more than 30 million dollars in losses
worth of revenue from the from this scheme, which is a ton of money. Right. And that's probably not
even the half of it, because, again, there's only so much that you're able to track in some cases by looking at sort of the movement of money through these Bitcoin wallets.
I think in a lot of these cases where you have cybersecurity companies and law enforcement making these estimates, they say usually it's on the low side, most likely.
And like speaking of the business around all of this, you know, I've read that there are companies who will just like straight up charge
you to help pay the ransom. It has become quite a big business over the past couple of years. I
mean, this is something certainly that large corporations are using increasingly because,
of course, they are always going to be targets of these types of attacks. But you're also seeing a
cottage industry of cybersecurity insurers emerge for just regular people like you and I.
So if you were someone that's hit by one of these attacks and you don't want to mess around with buying Bitcoin, you maybe don't really know what to do or you don't feel comfortable engaging with these people that are basically trying to extort you.
You can go to some of these companies that now exist and they will promise to try and get your files
back through a variety of means. ProPublica actually wrote a pretty good series of stories
about some of these companies earlier in the year because there are companies out there that
will promise to get your files back, but oftentimes they don't specifically say how or they are
purposefully, they obfuscate how they actually get your files back.
So in some cases, they've led people to believe that, oh, we've actually just used technical means.
We've been able to break the locks that the attackers have used on your files.
But what they're actually doing in practice is basically just negotiating with the attackers on your behalf.
Right, they're essentially like charging you a fee to then pay the ransom and then also charging you for the ransom.
Yes. Which is like this mutually beneficial relationship between these criminals and these companies. Yeah, to the point where there was a really wild anecdote within the ProPublica story in May where they pointed out that there was one insurer, one company that offered this service that was so effective at negotiating with these criminal actors that these attackers started referring their victims to this
company when they were infected. So they would basically say, hey, you know, we've locked your
files. If you don't feel comfortable negotiating with us or working with us, you could also talk
to this company and they could help you instead, perhaps, which, you know, maybe doesn't look so
great on the company when you have the people who are holding people for ransom acting as one of your referrers.
Yeah.
Pretty wild scenario.
And also, this is like the exact same argument for why you shouldn't negotiate with terrorists, that it begets more terrorism.
is that some suspect that the rise of these cyber insurance providers has actually increased the amount of money that ransomware operators are extorting from people, that it's actually
increased the payouts and the amount of money that they're asking, because they know that in
a lot of cases that people are going to pay, that companies are going to pay, that local
governments are going to pay because they have these insurance providers that are backing them
and that are going to be willing to pay that money.
And so it's an interesting, I guess, sort of side effect.
The rise of these attacks has resulted in more cyber insurance providers, which has resulted in more payouts, which has increased the payouts over time.
It's very much a vicious cycle.
Banana's vicious cycle.
It basically benefits everybody but the victim.
So, OK, so we've gone through the options you have.
You can pay.
You can try to, like, put your files back together.
But, you know, what is the real solution here?
Like, how do we really address this problem of ransomware attacks?
One of the biggest things and simplest things that you can do is have backups that you can restore from. Certainly that helps to, I think, remove some of the teeth from some of these attacks because they're banking on the fact that you won't be able access to your files. But I think the challenge is that these attacks obviously are
evolving. The attackers are evolving. The FBI, as they said, has noticed that there's been a change
from that casting the wide net to more sort of targeted attacks against organizations that they
know are willing to pay. And it's not just about locking files anymore. Once these attackers have
access, they can obviously do a lot more with that, right? They can learn about where you store your sensitive information. They
can learn where you store your backups. There's more that I think can be done that these attackers
are starting to realize can be quite lucrative. And then they would have access to sensitive
information too. They could, I don't know, blackmail you with it, I guess.
Sure. They could blackmail it. I mean, we've seen cases where it's not just about locking files.
It's actually about exfiltrating the files and saying, hey, if you don't pay us,
we're not just going to erase all your files, we're also going to leak them onto the internet
so that maybe competitors or your clients or others can see as well. Even just laying in
weight and learning information about how an organization functions, you can potentially
learn information that can allow you
to maintain access for months, for years in some cases, as we've seen with some attacks.
So there's quite a bit of, once we get into the realm of sort of targeted, more focused attacks,
there's a lot more that can be done than just, you know, merely locking files and hoping for
a payment. They're getting more sophisticated. And like you mentioned before, these are hitting
institutions that maybe don't have super robust IT departments,
don't have the necessary firewalls up. What about sort of educating these institutions or the people
that work in them? I think that goes a long way, which is why you see a lot of organizations,
universities in particular, local governments, like they spend so much time telling people,
watch what you're clicking on in your emails, watch the attachments that you're opening, the forms that you're entering usernames
and passwords to, because these attacks are still effective, which is why people keep doing them.
It's oftentimes really, really difficult to tell the difference between a phishing email and a
legitimate email, which is why these attacks keep working. And so I think training people to be
vigilant definitely goes a long way. But also, you can't put everything on users as well, because
there are certain things that organizations could be doing to try and make their systems more robust
against these type of attacks as well. So it's definitely something that I think cuts across
organizations as a whole, rather than just being something that we can say, hey, if you stop
clicking on links, this will make this problem go away. Or if you just have backups, this will make this problem go away.
Okay. Matt Braga, thank you so much.
Thanks, Jamie.
All right. Let's get back to the situation in Nunavut for just a second.
The local news there is reporting that the government will not pay the ransom now.
They've got IT teams working on the backups, and they don't anticipate any data loss at this point, although they are still working on it.
That's it for this week.
FrontBurner comes to you from CBC News and CBC Podcasts.
The show was produced by Laura Carlin, Elaine Chao, Shannon Higgins and Ashley Mack.
Derek Vanderwyk is our sound designer, with help this week from Austin Pomeroy.
Our music is by Joseph Chabison of Boombox Sound.
And I just want to note that Elaine Chao and Derek Vanderwyk produced our Western Alienation series this week.
A lot of people have been tweeting about it.
produced our Western Alienation series this week.
A lot of people have been tweeting about it.
The executive producer of From Berner is Nick McKay-Blocos,
and I'm Jamie Poisson.
Thanks so much for listening, and see you all next week. For more CBC Podcasts, go to cbc.ca slash podcasts.