OTTAWA — The Manitoba government temporarily took down some of its websites this month as it worked with Ottawa to boost protection against ransomware attacks — a threat cyber experts say is on the rise.
“Canada is among the top countries impacted by ransomware,” said Sami Khoury, head of the government-run Canadian Centre for Cyber Security.
“The bar keeps going up in terms of sophistication, and we need protect ourselves accordingly.”
Khoury’s centre works with Canada’s spy agency to monitor cyber threats as it helps all levels of government and critical industries protect themselves. That work has ramped up during the COVID-19 pandemic, as hackers have honed in on system vulnerabilities in the shift to at-home work.
The consequences of a large hack can be devastating, such as the attack on Newfoundland and Labrador’s online health care operations in October. Multiple systems were taken offline, forcing doctors and nurses to use a paper system for the first time in decades and postponing surgeries that were already backlogged because of the pandemic.
The attack, which has put virtually every resident in the province at higher risk of identity fraud, has been widely reported to involve ransomware. That’s when hackers take over a digital system and steal the data. They demand a payout to either unlock the system or for a promise not to publish the information.
Federal data show the average ransomware payment by public and private bodies soared to $300,000 in fall 2020 from $25,000 in early 2019 — likely related to the shift to working at home. It levelled off to about $175,000 this fall.
“We’re definitely not concerned enough,” said Manitoba cyber-security expert Eddie Phillips.
“Not enough companies are paying attention; not enough companies are investing in (preventing) it,” said Phillips, who co-founded Rosenort-based Shield Networks Inc.
He said ransomware schemes often start through phishing, which is when someone gets an email that impersonates a trusted source.
That message can direct someone to log into a site that appears to be from their company or a government agency, but instead gets a hold of their username and password. It can also include an attachment that appears to be a resume or invoice, but instead contains a virus.
In either case, hackers try to steal as much data as possible and then encrypt it, locking out the original owner. Hackers then threaten to sell the data unless the victim pays an expensive sum, often using cryptocurrency to obscure the recipient.
As for the public sector, Phillips said stolen databases from health and foster-care authorities could easily be sold online as they would reveal home addresses, family make up and medical history.
A month ago, Khoury’s federal group issued guidance to prevent ransomware attacks and outline who to deal with them. That came after a series of recent attacks, such as on rural municipal governments and transit systems near Ottawa.
“(As) the frequency (of) these events goes up worldwide, we know the number of incidents is under-reported,” said Khoury.
Phillips said companies and government departments must have a recovery-time objective, which is a set amount of time that a firm can experience a system outage before it starts to damage operations. Tabulating that timeline can be the first step to identifying gaps that can draw down that stretch of time, such as firewalls, workstation software and reporting protocols.
He said large firms need a disaster-recovery plan that includes back-up databases to be used when officials get locked out of their own systems.
Shared Health and the Manitoba government both said they have back-ups in place, as well as recover targets that vary by division within departments.
Both bodies said they’ve ramped up cybersecurity since the pandemic resulted in thousands of public servants working online, including software that helped expand the secured network to hundreds more internet connections.
Earlier this month, the Canadian Centre for Cyber Security advised governments on how to shore up its defences for what has been called the Log4j bug, which forced Quebec to temporarily take down roughly 4,000 of its websites. Manitoba took down a few dozen sites, including the court registry and the COVID-19 restrictions tip line.
The Manitoba government says it regularly conducts simulations of a major hack to assess its response, while both the province and Shared Health say staff have mandatory training on how to avoid viruses, ransomware and phishing.
Phillips said that training is crucial. Often, it’s low-ranking staff who accidentally provide the point of entry for hackers, who can leverage their access to any internal email address or phone number to target higher-profile staff.
“The misconception is that someone at maintenance or a clerk is not as much a target as the manager or minister,” he said.
Gaining any type of a foothold in any type of an organization could be devastating.”
Phillips said people should be wary of messages that demand immediate replies, such as one’s boss saying they might lose a client who was unpaid, and needs a cash transfer immediately.
“The idea is to engage that emotional part of someone’s brain so they help out with that stressful situation, and the best way to do that is to do whatever they’re being asked to do,” Phillips said.
“Things that just seem even slightly out of context or out of character, when it comes to email — it’s being not afraid to pick up the phone and just call and confirm.”
Parliamentary bureau chief
In Ottawa, Dylan enjoys snooping through freedom-of-information requests and asking politicians: “What about Manitoba?”
Read full biography