Before we jump in, can I just say that camDown helps make you invisible to hackers and guard your personal data.
Date: November 22, 2021
Source: Computer Crime Research Center
By: Braden Dupuis
Ransomware rising Whistler is still dealing with the effects of a cyber attack last spring??âbut itâs not aloneBy Braden Dupuis
The page shows various text-based posts with accompanying dates, and in some cases links to click on, each containing files leaked from different attacks by the criminals in question.
In some cases, the attackers include a link to a chat box that can be used to communicate with them directly.
They never take long to reply, but theyâre not very forthcoming with their answers.
An ominous message posted to the RMOW website after the attack claimed that 800 gigabytes of information was obtained in the April 28 attack on the RMOW.
On May 15, about 82 gb of Whistler data was posted to the groupâs site??âinternal server files allegedly containing the sensitive information of more than three dozen municipal employees, all of it in a folder the criminals labelled âtrash.â
The folder name is noteworthy.
âPublish all trash which we does not need,â the criminals say in one chat session, in stunted English.
âAll other data was sold.â
Pressed on what exactly they obtained from Whistler, and what was sold, they reply simply: âWe do not discuss auction details sorry.â
Experts say thereâs no way to say for sure if theyâre telling the truth about selling Whistleritesâ data at auction (they are criminals, after all).
âThese are criminal organizations. They donât always tell the truth,â says Brett Callow, threat analyst with Emsisoft, a cyber security company with a particular expertise in ransomware.
âThere are cases where they will claim to have more data than they actually do. There are also, however, cases where they have exactly what they claim to have, so there really is no way of knowing.â
The link to the dark web site wasnât live on the RMOWâs municipal website for long on the morning of April 28, but it was up long enough to be screenshotted and posted to two popular Facebook groups??âposts that can still be found today, link and all.
But by their own admission, the hackers??âbelieved to be a group known as HelloKitty??âdidnât get much uptake on their site specific to Whistlerâs data.
âah 3-5 in dayâ¦ this blog is not so popularâ¦â they admit in one back and forth.
Itâs likely that most Whistlerites donât know how to access the site on the dark web, I say.
âDo they need it? They just live,â the hacker says, getting oddly philosophical, before adding: âlive with stupid government :-D.â
In the view of the criminals, the RMOW is âstupidâ for not engaging with them, and paying their ransom demand (the amount of which they declined to disclose in chat)??âbut experts say that is absolutely the right move in these situations.
â[Paying the ransom] doesnât guarantee they will get their data back, it doesnât guarantee that the criminals will not misuse whatever data was stolen, and of course it simply incentivizes the cyber crime,â Callow says.
In a release on July 8, the RMOW confirmed it had not engaged with, or sent any payment to, the hackers.
In the days and weeks following the appearance of the RMOWâs data online, other victims follow: an investment firm, a network provider, a skincare company.
The organizations appearing on the groupâs news page donât show the complete extent of their crimes, they say??âjust those who refuse to talk to them.
According to a recent survey of 510 cyber security decision-makers by the Canadian Internet Registration Authority, almost one in five organizations were victim of a successful ransomware attack in the past 12 months. Of that group, 69 per cent said they paid the ransom demands.
In June, the leak site went offline for good??âwhile the RMOW was left to deal with the fallout.
A TORPEDO TO THE HULL
The attack on Whistler did major damage.
Municipal services were taken offline immediately, and stayed down for weeks.
The municipality??âalready dealing with the stress and strain of the COVID-19 pandemic for months??âwas left reeling.
âWe managed to keep the boat afloat [through COVID], and then we took another torpedo right into the hull,â said Councillor John Grills, in describing the attack.
Email and phone services were out of commission, leaving staff and council to communicate solely by text.
Staff at municipal hall were forced to revert to old paper processes, and an already overworked planning department was further buried as the broader Whistler community??âand all of its expectations for service??âcarried on around it.
âWhen I think about the cyber attack and the pandemic, I would say the cyber attack was worse than the pandemic,â says Coun. Ralph Forsyth, who sits on the RMOWâs Technology Advisory Committee (TAC).
âBecause the pandemic, it was like, OK, well everyone is experiencing this â¦ whereas the cyber attack was like, man, itâs just us??âwhat are we doing? How do we get out of this?â
The answer was a complete rebuild of the municipal network âfrom scratch or near-scratch to ensure resiliency against known future cyber threats going forward,â the municipality said in a June 14 release.
The total cost??âboth direct and indirect, as well as how much will be covered by insurance, and how much will fall to taxpayers??âis still not known as of this writing.
On Nov. 12, the RMOW said total costs are still being calculated, but âso far, the bulk of costs â¦ have been covered by the RMOWâs insurance.â
A Dec. 22 presentation to the TAC âwill entail an overview of the key findings by the cybersecurity experts as well as best practices and learnings to share with the member representatives going forward,â a spokesperson said.
In the June 14 release, the RMOW said, âexperts leading the investigation believe that access to the RMOWâs network was the result of a zero-day vulnerability.â
Pique reported on the zero-day vulnerability (an exploit either previously unknown to the developer or known and a patch had not been developed for it yet) found in SonicWall VPN, a service used by the RMOW, on May 13.
Cyber security experts from a firm called FireEye documented the vulnerability in a blog post on April 29, noting that a patch was released to fix the problem in February.
On Nov. 12, the RMOW confirmed it installed the patch in mid February.
According to Richard Rogerson, founder and managing partner of Ontario-based cybersecurity firm Packetlabs, VPNs, or virtual private networks, have left many organizations ripe for the picking in the early days of the COVID era.
âWhat weâve seen is, in the rush to work from home, weâve left a lot of our VPNs open,â he says.
âA lot of organizations, in the rush to stay open and to enable the remote workforce, theyâre leaving the door open to attackers.â
As of Nov. 12, 69 of 82 services disrupted by the attack were fully recovered, the RMOW said.
âThe remaining nine services, however, primarily consist of software for which there is no current support or security updates being provided,â a spokesperson said.
âThese services will need to be replaced with current software equivalents with accompanying security updates and support in order to be reestablished.â
The RMOW expects to move from ârecoveryâ mode back to âregular operationalâ mode by the end of November.
A GROWING EPIDEMIC
But Whistler is not alone??âransomware attacks have proliferated in recent years, with more municipalities, businesses, educational institutions and even hospitals falling victim every day.
According to a study by Emsisoft, ransomware caused hundreds of billions of dollars in economic damage in 2020 alone, while the average ransom demand grew by more than 80 per cent.
So far in 2021, âunfortunately, the ransomware problem isnât going away and attacks are happening at much the same rate as ever,â Callow says on Nov. 1. âIn the last couple of days, the Toronto Transit Commission has been hit and the [Newfoundland and Labrador] health system is experiencing a cyber attack which sounds very much like ransomware.â
One cybersecurity expert told CBC News that the attack on the Newfoundland and Labrador health system may be the worst in Canadian history, and has implications for national security.
The list of victims is long and growing.
A ransomware attack on the City of Saint John, N.B. in late 2020??âin which the attackers reportedly asked for between $17 and $20 million worth of Bitcoin??âcost the city $2.9 million.
Insurance covered most of the costs, but taxpayers were on the hook for $400,000.
The Regional District of Okanagan-Similkameen was similarly targeted in the summer of 2020, though the district says the attempted breach caused a system crash, booting the attacker before sensitive data could be taken hostage.
(Pique requested interviews with both governments; both declined comment.)
According to Rogerson, whose company provides âethical hackingâ services like penetration testing to ensure robust security measures are in place, the rise in ransomware can be traced back, in part, to...
Email to a Friend
As we move on to the next post, may I add that camDown is easy to use, easy to maintain and I can tell your mother would feel the same.