George Takach, McCarthy Tétrault LLP
TECH ENTREPRENEURS are continually inventing new business models for the internet, and a day doesn’t go by that some novel way to monetize the digital environment isn’t discovered. The pace of change can truly take your breath away, and society is much the better for it.
Unfortunately, criminals are no less entrepreneurial. It is astounding how creative they are, and the cycle of invention in criminal circles is no less robust than in the legitimate economy. And so perhaps it is no surprise that the criminal hacker, who previously focused exclusively on penetrating your IT systems, stealing your sensitive data and selling it to unscrupulous third parties over the dark web, is now being joined by other criminals who break into your computers, but then block you from accessing your data and extort a ransom payment from you.
This is the recent, meteoric rise of the so-called ransomware phenomenon.
Nothing New under the Sun
While the incidence of ransomware attacks has been growing recently, it is by no means a new criminal practice.
In one of Canada’s first reported computer-crime decisions in the mid-1980s, R. v. Turner (1984), the accused installed software on the victim company’s computer system that blocked the company from accessing its own data. In this case, the accused was convicted under the Criminal Code’s mischief provision, but the judge also suggested that the soon-to-be enacted section 430(1.1) of the Criminal Code would also address this type of behaviour.
Alas, the problem with ransomware is not that we don’t have a legislative response, because we do. The rub is that we are seeing so much of it; and, ironically, the amounts being extorted are small enough — typically under $50,000 — that victims often find payment of the ransom is the easiest and quickest course of action. (For example, a recent survey of IT shops found that 34 per cent of ransomware attackers are demanding between $1,000 and $5,000 to release the data, and only 10 per cent hold out for between $10,000 and $50,000.) This is particularly the case because, in many if not most of the occurrences, the perpetrator of the crime is offshore, and therefore pursuing a criminal investigation, let alone a civil one, is impractical.
So it was not surprising when the national press publicized the fact that a university in western Canada, hit with a ransomware attack in the spring of 2016, opted to simply pay the $20,000 ransom that was demanded. In another highly publicized incident, a hospital in Florida decided in 2015 to pay the $50,000 that was demanded because they reasoned that that was the surest way to ensure there would be no disruption in health care to its patients.
And, incidentally, this hospital is not the only company under siege in the health-care sector, which is apparently the target of some 53 per cent of ransomware attacks, followed closely by financial services as the most hacked target industry.
Standing up to Bullies
Not everyone, however, who is hit with a ransomware attack takes the path of least resistance. Also in 2015, a medium-sized law firm in the United States was faced with a ransomware situation. Rather than pay the amount demanded, the law firm called in forensics experts and determined that no client data had been compromised in the attack. The firm was also, through its backup data stored offsite, able to resume operations without too much difficulty; and so it defiantly issued a public letter to its clients notifying them that the firm would not be knuckling under to the demands of the criminals.
Part of this firm’s rationale for its decision was that in many cases, after the victim pays the ransom, the bad guys still don’t release the data (though presumably many do, because if none did the business model for ransomware attacks would be discredited and no victim would pay the ransom). The firm also alluded to the fact that, when it is revealed that a targeted organization has paid a ransomware demand, other criminals may repeat the attack on the same victim, knowing they have a fairly likely payer on their hands.
In short, once you’re hit with a ransomware attack, you have a difficult decision to make and there is no easy way out. It is therefore worth asking what you can do to help prevent such an attack.
Phishing for Dollars
Your chief information officer has invariably been hardening your defences against cybercriminals, and that’s all to the good. Anything that makes it more difficult for the bad guys to enter your computing systems is to be applauded.
However, with ransomware, the unsavoury characters typically come right through your front door — not through some surreptitiously installed malware, but directly through email, by means of so-called phishing messages that look and feel an awful lot like email messages that your staff might be expecting. Unwittingly, they click on the message and often its attachment, which is enough to launch the corrupting malware into your computer systems. The bad guys are in!
Phishing emails are a much improved version of the scam email message of many years ago that looked ragged, had a bunch of typos and detailed an unbelievable story. (“You have won a million-dollar lottery, I will send you the winnings if you send me the $25,000 processing fee first.”) It should be noted, though, that even these scam emails found their mark in many cases, costing Canadian companies and individuals surprisingly large losses.
Today, it will more likely be an email purportedly from your bank, with excellent graphics and branding, and a credible message. (“We have attached your latest monthly statement, which shows a double entry we would like to discuss with you at your earliest convenience.”) You click on the file attached, and voila, the criminal software is now wending its way into your firm’s central nervous system, and in a matter of a few moments it has implemented an encryption algorithm that will seize your systems and deny you access to them.
The ransom email will follow in short order, requiring you to pay very promptly by e-transfer or the blocked data files will be destroyed altogether. Yikes! If these are critical datasets, and your organization needs them right away in order to continue to operate … well, you can see why some victims would rather just pay than risk some discontinuity of service and access to data. It is, in effect, a cost of doing business, or so goes the argument.
Backup Is Best Safeguard
It’s easy to see how, when faced with such a situation, you would really want to have backup data handy and ready to be put into active production at a moment’s notice. In other words, if you can keep operating without the data that the criminal has disabled, then you can thumb your nose at the sender of the ransom note.
This requires, however, a very disciplined and expert approach to conducting backups. This in turn will cost some money to implement. And the criminal elements are betting on not many organizations doing this well; hence, the ever-growing business model for ransomware.
Your Employees as Defence
The other defence point that needs hardening is your staff. When they are presented with that phishing email, ideally they ignore it. But to do so, they need to be trained, coached and reminded constantly not to click on the problematic message.
Of course, it’s not either data backups or employee training, but both — along with a number of other active steps to strengthen your organization — so that when the cybercriminals come a-calling they find it more trouble than it’s worth to mess with you. For example, make sure your software maintenance and support efforts are implementing the latest security patches, all the time, constantly, without exception. And ideally — again, back to people reminders — you can convince your staff to put into your systems only software that your IT group scans for viruses first. The old saying really applies here: an ounce of prevention is worth a pound of cure.
If all else fails, take a close look at your insurance policies; and it’s a good idea to review them now, before you’re hit with an attack. If you feel your coverage is on the thin side, take a good look at some of the newer cybersecurity policies.
George Takach is a senior partner at McCarthy Tétrault LLP and the author of Computer Law.