Government of Nunavut Slowly Recovers from Ransomware Attack
The Government of Nunavut in northern Canada is slowly recovering nearly two weeks after its computer systems were crippled by a ransomware attack. The ransomware attack on the Government of Nunavut showed that this type of cyber-attack isn’t going away and organizations need to be prepared in preventing and mitigating this attack.
Last November 3, the Government of Nunavut disclosed that on November 2 of this year a “new and sophisticated type of ransomware” blocked government workers from accessing files on various servers and workstations. Ransomware is a type of malicious software (malware) that encrypts data, turning data into code and demands a ransom payment from victims in exchange for the decryption keys that would unlock the encrypted data.
As a result of the ransomware attack, the Government of Nunavut said that all government services requiring access to electronic information stored on the network had been impacted, except Qulliq Energy Corporation – the power company owned by the Government of Nunavut. In the November 3 statement, the Government of Nunavut said that the majority of the encrypted files will be restored using up to date backups. Martin Joy, Nunavut’s director of information, communications and technology, told CBC that the malware was likely installed into Nunavut’s network when an employee clicked on a web advertisement or email link.
In statements issued last November 13 and 15, the Government of Nunavut said that departments are beginning to come back online, assuring that the government’s obligations such as salary payments, income assistance payments in Iqaluit, payments for Financial Assistance to Nunavut Students, Adult Learning Training Supports and Foster Parent payments will be paid as scheduled.
The ransomware attack on the network of the Government of Nunavut is one of the many ransomware attacks in recent years. While the Government of Nunavut said that it’s slowly recovering from the attack not by paying ransom to the attackers but by using its backup, other organizations acknowledged that their only way to recover their data back was by paying the attackers ransom.
In 2018, two towns in Canada, the Town of Wasaga Beach and Town of Midland, admitted that they paid ransom to ransomware attackers in order to get back data. The Town of Wasaga Beach reported paying the ransomware attackers 3 bitcoins then valued at the time of payment $34,950 Canadian.
The Town of Midland, meanwhile, didn’t disclose how much was paid to the ransomware attackers. In a statement, the Town of Midland said, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
A new study from Sophos showed the following ransomware trends:
1. Delivery Methods
The Sophos study showed that the different types of ransomware are distributed via these modes of delivery: cryptoworm, automated active adversary and Ransomware-as-a-Service (RaaS).
In cryptoworm, the ransomware replicates itself and spreads to other computers within a network. The WannaCry malware, exemplifies this type of ransomware whereby this malware spread to hundreds of thousands of computers in just one day on May 12, 2017 by replicating itself.
In automated active adversary, attackers use tools to automatically scan the internet for computers with weak protection, such as computers that are openly exposed to the internet via the Remote Desktop Protocol (RDP) – a protocol developed by Microsoft that’s designed to provide remote access. In mid this year, Renato Marinho, security researcher at Morphus Labs reported that he discovered a botnet – a group of computers controlled by an attacker or attackers – scanning a list of about 1.5 million RDP servers exposed to the internet and brute-forcing these exposed RDP servers using weak and reused passwords to gain access to them. In automated active adversary, ransomware victims may think that they are specifically targeted when, in fact, the ransomware attacks are merely opportunistic.
Ransomware-as-a-Service (RaaS), meanwhile, refers to a service whereby ransomware is offered for sale online. RaaS packages allow malicious actors with little coding knowledge to distribute ransomware via malicious emails or drive-by – downloading of the ransomware via a website or app that’s out of date and has a security vulnerability.
2. Ransomware Updates
Aside from identifying the major ways the different types of ransomware were distributed, the Sophos study also showed that protection products such as traditional antivirus solutions, which rely on static analysis, are unable to detect ransomware attacks as attackers are constantly releasing new ransomware variants.
3. Encrypting Mapped Network Drives First
The Sophos study also found that ransomware immediately causes damages to an organization when it encrypts mapped network drives first. As mapped network drives allow access to shared folders over the network regardless where employees are geographically located, Sophos said, encrypting mapped network drives first, results in work stoppage, disrupting the entire organization and putting pressure on management to pay the ransom demand.
4. Delays in Restoring Data from Backups
The Sophos study also found that despite the availability of backups, organizations are pressured to pay ransom as backups, although made periodically, aren’t always up to date. Sophos added that restoring data from backups takes a toll on the organization financially as data restoration can take up many days especially when a large amount of data is encrypted – as usually done by the attackers – affecting a number of servers and workstations.
Preventive and Mitigating Measures Against Ransomware
Here are some of the preventive and mitigating measures against ransomware attacks:
- Practice Network Segmentation
Network segmentation refers to the practice of dividing your organization’s network into sub-networks, ensuring that in case one network is infected with ransomware, for instance, the other networks won’t be affected. This practice is specifically beneficial in preventing cryptoworm – ransomware that spreads via replicating itself.
- Effective Backup Plan
Data backup alone isn’t enough, especially if backup, although done periodically, isn’t up to date. In case of a worst-case scenario, that is, in case of a ransomware attack, data restoration plan should be in placed to prevent delays.
In most cases, we found that many companies don’t test the backups and when the disaster strikes, unable to restore the data.
To mitigate such risks, we’ve developed a simple and effective method to securely backup your data with the ability to test and restore in near real-time. Want to learn more?
Call us today at (416) 920-3000 or email firstname.lastname@example.org and protect your valuable data.