Akira, BlackCat, Medusa and Phobos may seem like fitting names for your new cat, yet they instead represent some of the most common and viscous ransomware variants that businesses in Calgary and beyond are currently facing.
Fueled by increasingly sophisticated attack techniques, lower barriers –to– entry and a proliferation of available targets, the evolving landscape of ransomware has many cyber experts sounding the alarm and urging business owners to take robust measures to stay safe.
“The problem is still here, and it is serious,” says Rajiv Gupta, associate head of the Canadian Centre for Cyber Security.
Ransomware is a type of malware where the attacker gains access to an organization‘’s critical information or vital systems, encrypting them until a ransom is paid – usually in the form of cryptocurrency.
Anti-virus experts Norton notes some of the most common tactics that cybercrime criminals are currently taking in their ransomware attacks include email phishing, malware attacks and manipulating remote desktop protocols.
“The most effective way bad actors are targeting companies with ransomware is still though email. Hackers are playing a game of cat and mouse with Microsoft and other email providers to bypass spam filters,” says Scott Gallupe, president of 403Tech, a Calgary-based IT support and services company that caters to small and medium-sized businesses.
Gallupe says these fraudulent emails will typically consist of links to fake log-in pages or “very encouraging” time-sensitive alerts encouraging you to click.
“Last year, we saw a dramatic increase in extortion type ransomware where hackers would threaten to release sensitive information or photos if a ransom wasn’t paid,” he says.
Gupta, meanwhile, is seeing a rise in what he calls a ransomware as a service where cybercriminals build the ransomware attacks vectors and tactics, and then license it to affiliates.
“So, the threshold to entry has dropped,” says Gupta. “Anyone can now get access to the technologies and the service from the dark web and conduct their criminal operations. We’re seeing more of this criminal behaviour across Canada.”
The scope of ransomware is staggering. Gupta estimates the average cost of a ransom payment to a cybercriminal is approximately $250,000. Yet the real recovery costs for a data breach can be upward of $6.35 million when factoring in downtime, recovery of information and infrastructure rebuilding.
“And that’s not even quantifying the reputational damage to an organization that’s been victim to a ransomware attack,” says Gupta, noting a public admission of a privacy breach, for example, can result in distrust from customers, investors and other stakeholders that leads to adverse effects on the business.
While official numbers have not been released for 2023 yet, Gupta expects the number of ransomware incidents in Canada will easily surpass previous years, which, in 2022, was more than 200 “known” incidents.
“And that is highly underreported,” he says, noting many businesses don’t report ransomware attacks because they are embarrassed and/or don’t feel there’s any benefit in reporting after the event.
According to the Calgary Police Service, the number of reported cybercrime incidents locally are up 70 per cent since 2017. Globally, meanwhile, 2023 was a record-breaking year for ransomware. Corvus Insurance, a leading U.S.-based cyber underwriter, reports 3,311 attacks as of the third quarter, compared with 2,670 in all of 2022. Some of the industries most at risk included law firms, government agencies, manufacturing, medical practices and oil and gas.
It’s not just larger businesses that are being attacked, either. Herbert Fensury, Calgary-based CEO and founder of Enfocom Cyber, notes he’s seeing many attacks focused on small and medium-sized businesses that often have fewer lines of defence than larger corporations.
“It’s not only large organizations, but small, mid-size, too – even down to the individual level,” he says. “The impact of (ransomware) is pretty much across the board.”
Fensury’s organization recently teamed up with the University of Calgary and U.S. defence contractor Raytheon to open a new Cyber Assessment, Training and Experimentation (CATE) Centre. Part of the centre’s aim is to help businesses of all sizes troubleshoot cyber threats and defences within a fully functional digital environment called a cyber range.
“Think of it as a simulated environment, but with true computing power … that we can use to mimic an actual cyber attack,” says Fensury. “It provides opportunities for companies to try to find gaps, and then learn how to mitigate that risk.”
If there’s good news, it’s that new data suggests fewer ransomware victims are willing to pay up when faced with a ransomware attack.
A report issued this year from ransomware negotiation firm Coveware found that the proportion of ransomware victims that opted to pay ransoms to get their stolen data back and unlock their systems during a cyberattack in the fourth quarter of 2023 dropped to a record low margin of 29 per cent. This compares with 85 per cent who were paying in the first quarter of 2019.
The report credits the drop in ransomware payments to companies increasingly being able to recover their data from incidents partially or fully without the use of decryption tools, as well as “data driven reluctance to pay for intangible promises from cybercriminals.”
Coveware points out the common practice by cybercrime criminals to renege on their promise to not publish or misuse stolen data, as well as the promise to exempt the company from future attacks or harassment.
“The industry continues to get smarter on what can and cannot be reasonably obtained with a ransom payment. This has led to better guidance to victims and fewer payments for intangible assurances,” says the Coveware report’s authors.
Fensury has similarly seen examples of this “double extortion” in which, after paying the initial ransom, cybercriminals only return portions of the stolen data and keep the rest for additional payments.
“They might give you a (decryption) key, butkey but might still keep some of the data for the future so they can do it again,” says Fensury, noting some might go a step further and demand even more money by threatening to publicly report the breach and creating added reputational damage.
“Don‘’t forget, you‘’re dealing with criminals here.”
When it comes to mitigating a potential ransomware attack, Gallupe urges companies to establish strong IT employee training programs. 403Tech operates a security awareness training program that Gallupe says is effective at training new staff and encouraging the business as a whole to be more involved in protecting critical business information.
“The biggest threat I see small businesses make is not investing in an education program … It allows staff to be better prepared to spot phishing emails and report them. Having a network firewall is simply not enough,” says Gallupe, who also recommends businesses that additional precautions such as additional spam filtering, a secure network firewall with locked down ports and 2-Factor Authentication (2FA).
Fensury adds that it helps to “think like the bad guys” when looking to mitigate ransomware attacks. That includes proactive cybersecurity such as penetration testing and identifying vulnerabilities before they’re exploited.
He also encourages businesses to have a response plan in the event of an attack.
“Devise a plan and then go through the exercise in advance … just like that fire drill,” says Fensury. “In the event of a fire, firefighters don’t all grab the same hose. Instead, everyone knows what their roles are. It’s the same in the case of a ransomware attack. Everybody should know what to do.”
