Canadian Towns Hit by Ransomware Cyberattacks; Lessons Learned from These Attacks
The Canadian town of Midland in Ontario recently acknowledged it has paid ransom after experiencing a crippling ransomware cyberattack.
In a statement, Midland Townsaid that it has “initiated the process to pay the ransom in exchange for the decryption keys.” The town added, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
What Is Ransomware
A ransomware is a type of a malicious software (malware) that encrypts files, making them inaccessible to users, and demands from victims ransom in exchange for the decryption keys that unlock the encrypted files.
Ransomware attackers typically ask their victims to pay ransom in the form of cryptocurrency like Bitcoin and convert it to another cryptocurrency that offers privacy feature to cover their digital tracks.
Midland Ransomware Attack
According to Midland Town, in the early morning of September 1, this year, its computer system was hit by a ransomware, rendering several of the town’s computers inaccessible. The Town subsequently received a ransom notice to decrypt the inaccessible computers.
Midland Town said that vital services of the town, such as water, fire, rescue and waste management, aren’t affected as computers used by these vital systems were purposely isolated from the town’s IT system for security reasons.
As a result of the ransomware attack, the Town said it can only accept cash or cheque payments; riders of Midland Transit buses can only pay in cash; reloading of transit cards and selling of transit passes are halted; information or balances regarding business or residential account can’t be accessed; and permit processing takes longer than usual.
Midland Town didn’t specify the ransom amount it paid to the ransomware attackers. It also said that it has yet to determine how the ransomware got into the town’s computer system.
Midland Town isn’t the only town in Ontario that was hit by ransomware. On April 30, 2018, a ransomware malware infected the computer system of Wasaga Beach, another town in Ontario. Typical of a ransomware attack, the cyberattackers also demanded ransom payment from Wasaga Beach Town in exchange for unlocking the data that they’ve locked or encrypted.
“For roughly seven weeks, town staff worked with computer experts to recover from the virus by rebuilding a new network, negotiating with the cyber criminals to obtain the data back, scrubbing the data to ensure it was clean before returning it to the new network, reconfiguring many software programs to work under the new network design, and installing a new hardware and software infrastructure deemed necessary for corporate security,” Jocelyn Lee, Wasaga Beach Town Treasurer told the the town’s Council.
Lee added that Wasaga Beach Town paid the ransomware attackers $34,950 to retrieve the town’s data. Wasaga Beach Town also hasn’t yet determined how the ransomware got into its computer system.
Ransomware Prevention/Lessons Learned from Midland Town and Wasaga Beach Town Cyberattacks
- Network Segmentation Works
In a typical organization, computers are connected to each other, for instance, for sharing files. These connected computers are collectively called “network”. The danger in connecting all computers, combining them as one network, is that if one computer is infected by a malware, there’s a potential that the other connected computers would be infected as well.
The spread of malware infection as a result of simply being connected to a network was evident when the WannaCry ransomware infected hundreds of thousands of computers worldwide in less than 24 hours on May 12, 2017.
WannaCry infected so many computers in less than 24 hours as it has a worm capability – referring to the malware’s ability to replicate itself without user interaction onto another computer connected to a network.
In network segmentation, the computers of a particular organization are split into different networks. These different networks aren’t connected to each other so that when an unfortunate event happens, like a ransomware attack, the infection will be limited to that particular network.
Midland Town’s effort in segmenting the computers used for vital services like water, fire, rescue and waste management saved it from the devastating ransomware attack last September 1st.
- Question About Ransom Payment
In an event of a ransomware attack, can your organization retrieve your data after paying the ransom? The answer to this question is yes and no.
Some ransomware programs are created or designed in such a way that once ransom is paid, the encrypted or locked data can be unlocked via decryption keys – keys that are given only by the attackers after paying the ransom.
By mistake or by choice, some ransomware authors, however, design their ransomware malware in such a way that they themselves can’t determine who paid the ransom and who didn’t, making it impossible to give the correct decryption keys to a particular victim. Paying the ransom, in this case, is, therefore, futile as data can’t be recovered. This was the case for the victims of the WannaCry ransomware, whereby, the malware authors themselves couldn’t determine who paid the ransom and who didn’t.
Paying the ransom in ransomware attacks also isn’t enough to clean up the mess. Ransomware victims have to shell out additional money for installing new hardware and software infrastructure as the ransomware makers could’ve dropped additional malware onto the infected computers for additional illegal activities, such as data stealing and cyber spying.
Contact ustoday if you need assistance in protecting your organization’s network from cyberattackers, and, in particular, from ransomware attackers.