Cybercrime is a continuously evolving threat that poses unique challenges to institutions worldwide. Malicious actors utilize malware to target computers, networks, and/or networked devices for disruptions and profit-driven attacks. These cybercriminals group, recruit, and strategize attacks online through forums and marketplaces on the dark web, an unindexed segment of the Internet that facilitates illicit activity and is accessible through specific network proxies or software. Here, breached organizational data, including sensitive personal information, is listed for sale and purchased, and cybercrime services for hire can be found. The Canadian Centre for Cyber Security has declared organized cybercrime as a “very likely threat to Canada’s national security and economic prosperity” over the next couple of years.1 Bolstering the threat is the fact that it is difficult to catch cybercriminals, as many may be state-sponsored actors operating with immunity and/or for the purposes of espionage and political disruption.2
Especially worrisome is ransomware, a type of malware attack designed to encrypt files on a device or network, keeping them “hostage” and unusable until a ransom (typically via cryptocurrency) is paid to the attackers in exchange for decryption (unlocking). Payment of the ransom does not guarantee decryption or deletion of breached data.
Typically deployed through impersonation tactics, such as deceptive emails with malicious links or attachments (also known as “phishing”), once inside of a network, ransomware can spread through it and install further malware before the encryption action is activated. As an added extortion method, prior to encryption, the malicious actors will collect the data and further threaten to release it onto the dark web if the ransom is not paid. This tactic ensures that a significant threat still exists, even if the organization has backup servers and data. For this reason, ransomware must be handled proactively in a preventative way to ensure sensitive data does not ever get into the hands of malicious actors.
Most ransomware originates as a ransomware-as-a-service (RaaS), a business model where ransomware developers assist those interested in running their own operation and attacking their preferred targets, without needing to develop their own ransomware software. LockBit, the most prolific ransomware is a RaaS operation. Other criminals can pay to become an affiliate of LockBit and can then launch their own attacks and share a percentage of earnings with the LockBit developers.
An attack on an organization can lead to significant harms including:
- Loss associated with business disruption;
- Loss of data (temporary and permanent);
- Costs associated with restoring data and systems;
- Loss associated with reputational harm; and
- Costs and liabilities associated with handling the breach and reporting obligations.
Examples of recent ransomware events
Examples of the damage and disruption ransomware attacks can cause are not hard to find. Recent events include:
- In May 2021, a United States pipeline was targeted, leading to the shutdown of the largest fuel pipeline in the country – causing fuel shortages and associated price increases. 3
- In October 2021, cybercriminals compromised The Newfoundland and Labrador healthcare system’s networks. Internal communications and diagnostic information became inaccessible. Thousands of medical procedures were delayed, and patients’ sensitive medical information was breached.4
- In December 2022, The Hospital for Sick Children in Toronto became the target of a LockBit attack, delaying lab results and affecting communications.5
Considerations for public-sector entities
There may be additional considerations for public-sector entities as they may be subject to different privacy requirements and laws. Therefore, public-sector entities and their obligations under those statutes may differ from private business. For example, notification and remediation procedures may be statutorily different. Public-sector entities have a duty to the public and they are not running a private enterprise for profit, so they may be willing to tolerate more downtime to safeguard the public’s personal information at greater operational cost rather than pay a ransom or negotiate with attackers. Certain public-sector entities may have policies that prevent them from paying ransoms altogether; in some parts of the world, it may in fact be illegal to pay a ransom, and public-sector entities are much less likely to risk legal consequences.
Best practices require a proactive approach
Traditionally, organizations have relied on consistent backups of their data and systems to avoid the risk of a ransomware attack rendering their systems inoperable. While backups remain an important step, the risks associated with a ransomware attack cannot be mitigated solely by creating up-to-date backups. As ransomware groups have shown an increased use of the extortion tactic where they threaten to also release the data if the ransom is not paid, it is important to prevent any initial proliferation of ransomware. Organizations must make ongoing interorganizational efforts to educate, train, and develop response plans to every cybercrime threat. Operating systems and accompanying security software must also be frequently updated. As ransomware technologies are constantly updating, it is also important to stay up to date with cybercrime developments and evaluate IT structures and policies as necessary.
Learn more about ransomware attacks in the public sector, and other evolving privacy-law issues, at the OBA’s Privacy Law Summit on October 10, where James Kosa will be speaking alongside other experts in the field.
About the authors
James Kosa is a partner at WeirFoulds LLP with a practice focused on information technology and intellectual property law. James offers his clients a wealth of knowledge and experience from across the spectrum of technology issues, including the protection and exploitation of computer and software technology, IT and IP licensing, privacy, security breaches and dispute resolution.
Natalie Bravo is a graduate of Osgoode Hall Law School (Class of 2023) in Toronto and holds a Trilingual Bachelor of Arts (Hons) from Glendon College, York University. She is a published LexisNexis author on Blockchain and Cryptocurrency law. Natalie is currently articling with WeirFoulds LLP and is interested in IP/IT and Privacy Law.
____________________
1https://www.canada.ca/en/communications-security/news/2023/08/cyber-centre-releases-baseline-cyber-threat-assessment-on-cybercrime-with-support-from-rcmp.html
2 https://www.cyber.gc.ca/en/guidance/baseline-cyber-threat-assessment-cybercrime
3https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years
4 https://www.gov.nl.ca/hcs/files/OVERVIEW-NL-Health-Cyber-Incident-March-2023.pdf
5https://www.sickkids.ca/en/news/archive/2023/sickkids-lifts-code-grey-with-80-per-cent-of-priority-systems-restored/