'Definite uptick': Global wave of ransomware attacks hitting Canadian organizations

When a Toronto dentist learned last week that his office's computer network had been attacked withransomware,it felt like a "violation."

"It was terrible," he said. "My wife was even nervous about sleeping at home."

Staff were locked out of digital files for at least a day and had to take notes on paper. The dentist said files on 19 out of the clinic's 22 computers became encrypted.

CBC News has agreed not to identify the dentist to avoid making his clinic a potential target again.

A message left on the infected machines read "Ryuk," identifying the ransomware as the same strain that recently hit three Ontario hospitals andhealth-care facilities in Alabama and Australia.

"We were really lucky," the Toronto dentist said."At least we had a good backup."

Last Tuesday, patients started receiving so-called phishing emails messages meant to trick users into giving hackers access to the recipient's computer or data.

Ransomware typically encrypts files, with attackers demanding a digital currency payment from victims in orderto release thedata.

Ryuk, a form of ransomware first reported in 2018, allows hackers to view a computer's files and gather information for several weeks, unbeknownstto its victims.

'Definite uptick'

The Toronto dental clinic is just the latest target in a series of ransomware attacks hitting Canadiannetworks, particularly in the health-care field. A string of the Ontario municipalities including Woodstock, Stratford and The Nation have previously fallen victim to ransomware.

Until recently, Canadians seemed "to have escaped" a wave of global ransomware attacks, said B.C.-based cybersecurity expert Brett Callow, with the global software firm Emsisoft.

"Although that seems to have been changing in recent weeks," he said."There has been a definite uptick."

A recent surveyof Canadian organizations found the vast majority (88 per cent)experienced a data breach over the last 12 months. The research by the U.S.-based cybersecurity firm Carbon Blackalso found 82 per cent of Canadian companies surveyed reported an "increase in overall attack volume."

Both figures represent a slight increase over Carbon Black's previous Canadian threat report, released in March.

Ransomware, however, only accounted for 14 per cent of data breaches in the recentsurvey.

"The criminal syndicates of the world are laser-focused on targeting hospitals and municipalities' emergency management systems," because of their importance in critical situations, said Tom Kellermann, Carbon Black's head cybersecurity strategist.

"[Criminals]recognize that ransomware is far more impactful in these types of organizations due to their mission."

The FBI also issued a warningrecently, alerting U.S. organizations to the threat of "high-impact" ransomware. The agency said while the incidence of broad ransomware campaigns has declined since 2018, "losses from ransomware attacks have increased significantly."

Hacker speaks

Thehacker who targeted the Toronto dental clinic told CBCNews he was not involved in the recent cyberattacks on the Ontario hospitals. CBC News briefly exchanged messages with him using the email address provided to the clinic.

The hackerinitially told CBC that the cost to decrypt the dental office's files would be ninebitcoins (nearly $100,000), but later increased the price to 15 bitcoins ($165,000).

"To confirm our honest intentions," he wrote, "we will unlock two files for free."

The hackerwhose email address identified him as "Samuels Marques" declined to say where he was located, or how much money he had made from Ryuk attacks.

Cybersecurity researchers believethe malicious softwarewas likely developed in Russia.

The widespread nature of Ryukattacks may stem from the code's availability on the dark web, a shadowy part of the internet not found on search engines that is difficult for everyday users to access.

The malware's creators are leasingit online for about $200 US, plus a monthly "maintenance fee," which ensures the code is updated with the latest data to circumvent security technology, said Kellermann.

He said the malware's creators provide it to other hackersso Ryuk can keep gathering information on computer system vulnerabilities,or "backdoors," around the world.

"They're outsourcing their colonization of infrastructure to other criminals," he said.

It's unclear why Canadian firms are increasingly being targeted, Callow said, but he has a theory.

"It could simply be that the bad actors are broadening their horizons," he said. "They've had a lot of success in the U.S. and now they're trying their luck in other areas."

Free fix?

The RCMP discourages victims from paying ransom.

In many cases,organizations with small information technology departmentsmay hire outsidefirms for help regaining access to files. An online service,likely little-known to Canadians,can also sometimes do the trick for free.

The No More Ransom Projectan initiative involving the European Union's law enforcement agency,Europol offers tools on its website to unlock files encrypted with malware. The service is available to users around the world, including in Canada.

New Zealand-based Emsisoft acts as a project partner, lending decryption tools to the initiative.

Callowsaid Emsisoftis mainly an anti-virus company, but it provides ransomware-fighting tools as a "public service."

He stressesthough thatRyuk often causes damage to files it encrypts, making them irrecoverable."So data loss is very common in these cases, even if the ransom is paid."

But for"the threeto five per cent [of cases] in which we can help," Callow said, "our services are provided at no cost whatsoever."

The Toronto dentist said his clinic didn't pay to regain its files, and despite the messages exchanged with CBC News, no specific amount was demanded. But he said if the price were right, he wouldn't hesitate to pay.

"If someone said to me, 'Pay $20,000 and you get your files back,' I'd give them the money," he said. "Because I need my files."

The clinic is now taking steps, such as reinforcing firewallsand issuing new computer usage guidelinesfor staff, he said.

His message for others?Ransomware isa "real issue and it's bound to get worse."