The ransomware business is booming in Canada.
Recent victims have included large corporations such as retailer London Drugs, as well as the City of Hamilton, Ont., and the government of Newfoundland and Labrador.
But the criminals who sometimes brag of their attacks on the so-called dark web don’t seem fussy about their victims, based on a small sample of the targets listed by B.C.-based threat analyst Brett Callow. Among them is a B.C. library network, the province’s First Nations Health Authority and an Ontario charity for disabled children.
Cybersecurity experts say the spate of attacks has serious implications for victims and the public, and organizations need multi-layered protection in a landscape of fledgling online security standards.
Callow favours an outright ban on ransom payments, or at least regulations limiting them, to stem the tide of attacks.
Toronto-based lawyer Eric Charleston says it’s not so simple, and he’s seen cases where a ban would have meant “a punishment of the victims.”
“But at the end of the day, if you have different regulations on how people can divest from their crypto accounts … (they) can still come in and take the money.”
The potential implications of a data breach are far-reaching, said Charleston, the national co-leader for cybersecurity with Borden Ladner Gervais LLP.
They range from financial and reputational damage to possible legal liability amid “emerging” standards for cybersecurity in Canada, he said. Charleston said proposed new federal and Ontario laws could herald minimum levels of security for certain sectors.
Targeted companies can face class-action lawsuits over data breaches — last month, victims of a 2019 breach at LifeLabs Inc. started receiving payments of $7.86 each. That doesn’t sound like much, but the total settlement amounted to $9.8 million.
Callow, meanwhile, said the stakes could be life or death. He pointed to work by researchers at the University of Minnesota School of Public Health, who estimated that ransomware attacks that disrupted hospital operations killed at least 42 U.S. Medicare patients between 2016 and 2021.
GAME OF ‘WHACK-A-MOLE’
There have been some wins for law enforcement, Charleston said.
In February, the National Crime Agency of the United Kingdom led a consortium of police agencies in disrupting the operations of LockBit, calling it “the world’s most harmful cybercrime group.” A subsequent statement last month identified a man from Russia as the “administrator and developer” of LockBit, which provides a global network of hackers with the tools they need to carry out attacks.
Callow, who works for New Zealand-based antivirus software company Emsisoft, said enforcement such as the operation against LockBit undermined confidence among cybercriminals.
But LockBit was soon up and running on a new site, he said.
Callow said LockBit had made the ransom demand over the London Drugs hack that was detected in late April and forced the B.C.-based retailer to shut all its stores across Western Canada for about a week.
The company later confirmed that data that “may contain some employee information” was released, saying it was “unwilling and unable” to pay a ransom to hackers it described as “a sophisticated group of global cybercriminals.”
