Is Canada ready to fight ransomware?

From hospitals to medical testing facilities to local police services, ransomware attacks have proven their potential to disrupt the lives of Canadians.

This piece originally appeared in the Hill Times Cybersecurity Policy Briefing on October 27th, 2021.

Pretend for a second you’re hurt and panicked, laying in the back of an ambulance, and the paramedic says you’re being redirected from the nearest hospital to one much further away. This was the reality for Toronto residents seeking emergency treatment after Humber River Hospital was struck with a ransomware attack in June. 

From hospitals to medical testing facilities to local police services, ransomware attacks have proven their potential to disrupt the lives of Canadians. And a new report from my organization, the Canadian Internet Registration Authority (CIRA), suggests that a substantial number of Canadian organizations simply pay the demands when struck with ransomware. 

Data from our latest survey shows that, over the past year, roughly one in five (17 per cent) small, medium, or public sector organizations experienced a ransomware attack. Of those, seven in 10 (69 per cent) paid the ransom. This suggests that most organizations simply fork over the bitcoin when the ransom note flashes up on their screen. 

Of course, it’s entirely possible that the real numbers are higher. Our survey found that one in five Canadian organizations cite reputation damage as one of the worst impacts of cyber attacks (up from six per cent back in 2018). Given the stigma and negative headlines that can result, it’s easy to imagine why organizations would quietly pay the ransom in hopes that the issue goes away.  

Despite this growing threat to public safety, the federal government’s latest National Cyber Security Action Plan doesn’t mention ransomware at all, nor the threat it poses to the organizations and critical infrastructure we rely on. 

This is especially concerning given that soon-to-be-released threat intelligence from CIRA suggests that Canadians are facing an increased volume of cyber attacks.  

We analyzed threat data from CIRA Canadian Shield (a free service that blocks known cyber attacks including ransomware) and found that the total volume of blocks recorded between July and September 2021 were significantly higher than the volume recorded in the three previous quarters. In particular, the service recorded a significant spike in blocks associated with a known variety of ransomware called REvil (or Sodinokibi) in July. 

Every day that ransomware goes unaddressed, the more Canadians are put at risk. With the federal election behind us, we encourage the new government to update its action plan as soon as possible. 

South of the border, the recent ransomware attack on the Colonial Pipeline sparked a national conversation about what role the federal government should play in preventing cyber attacks. In response, the Biden administration issued an executive order to overhaul federal government cybersecurity efforts.  

Here in Canada, cybersecurity has not been a major priority. In the federal election, none of the parties offered concrete details on how they plan to deal with the growing threat that cyber attacks pose. Similarly, cybersecurity experts have criticized a lack of funding to strengthen Canada’s cyber defences in the last federal budget. Meanwhile, Canada is frequently identified as one of the top targets for ransomware attacks globally. 

Until we change the underlying economics of ransomware, or make the process riskier for hackers, we can’t expect to make much progress; right now, the cheapest, fastest solution for many organizations is to simply pay the ransom and move on. But what can the government do to make sure Canada is prepared for ransomware?  

Should we dedicate new funding to law enforcement so they can assist and decrypt ransomware victims?  

Should we support the development of free, open-source decryption tools that can unshackle organizations from the ransomware installed on their machines? 

Should we develop a new, independent advisory body dedicated to emergent cybersecurity issues?  

While there’s no silver bullet solution, there are dozens of good ideas out there. Combatting the threat of ransomware will require action from everyone—tech companies, internet service providers, government agencies and, of course, individual users. 

With the volume and threats of ransomware (and other cyber attacks) on the rise, it’s time we start a new, national dialogue. We encourage our new Minister of Public Safety and Emergency Preparedness to strike up a public consultation on the threat that ransomware poses to public safety and national security as soon as possible. Until we have a plan to tackle this head on, too many Canadian organizations are at risk of being taken hostage.  

This piece originally appeared in the Hill Times Cybersecurity Policy Briefing on October 27th, 2021.

Pretend for a second you’re hurt and panicked, laying in the back of an ambulance, and the paramedic says you’re being redirected from the nearest hospital to one much further away. This was the reality for Toronto residents seeking emergency treatment after Humber River Hospital was struck with a ransomware attack in June. 

From hospitals to medical testing facilities to local police services, ransomware attacks have proven their potential to disrupt the lives of Canadians. And a new report from my organization, the Canadian Internet Registration Authority (CIRA), suggests that a substantial number of Canadian organizations simply pay the demands when struck with ransomware. 

Data from our latest survey shows that, over the past year, roughly one in five (17 per cent) small, medium, or public sector organizations experienced a ransomware attack. Of those, seven in 10 (69 per cent) paid the ransom. This suggests that most organizations simply fork over the bitcoin when the ransom note flashes up on their screen. 

Of course, it’s entirely possible that the real numbers are higher. Our survey found that one in five Canadian organizations cite reputation damage as one of the worst impacts of cyber attacks (up from six per cent back in 2018). Given the stigma and negative headlines that can result, it’s easy to imagine why organizations would quietly pay the ransom in hopes that the issue goes away.  

Despite this growing threat to public safety, the federal government’s latest National Cyber Security Action Plan doesn’t mention ransomware at all, nor the threat it poses to the organizations and critical infrastructure we rely on. 

This is especially concerning given that soon-to-be-released threat intelligence from CIRA suggests that Canadians are facing an increased volume of cyber attacks.  

We analyzed threat data from CIRA Canadian Shield (a free service that blocks known cyber attacks including ransomware) and found that the total volume of blocks recorded between July and September 2021 were significantly higher than the volume recorded in the three previous quarters. In particular, the service recorded a significant spike in blocks associated with a known variety of ransomware called REvil (or Sodinokibi) in July. 

Every day that ransomware goes unaddressed, the more Canadians are put at risk. With the federal election behind us, we encourage the new government to update its action plan as soon as possible. 

South of the border, the recent ransomware attack on the Colonial Pipeline sparked a national conversation about what role the federal government should play in preventing cyber attacks. In response, the Biden administration issued an executive order to overhaul federal government cybersecurity efforts.  

Here in Canada, cybersecurity has not been a major priority. In the federal election, none of the parties offered concrete details on how they plan to deal with the growing threat that cyber attacks pose. Similarly, cybersecurity experts have criticized a lack of funding to strengthen Canada’s cyber defences in the last federal budget. Meanwhile, Canada is frequently identified as one of the top targets for ransomware attacks globally. 

Until we change the underlying economics of ransomware, or make the process riskier for hackers, we can’t expect to make much progress; right now, the cheapest, fastest solution for many organizations is to simply pay the ransom and move on. But what can the government do to make sure Canada is prepared for ransomware?  

Should we dedicate new funding to law enforcement so they can assist and decrypt ransomware victims?  

Should we support the development of free, open-source decryption tools that can unshackle organizations from the ransomware installed on their machines? 

Should we develop a new, independent advisory body dedicated to emergent cybersecurity issues?  

While there’s no silver bullet solution, there are dozens of good ideas out there. Combatting the threat of ransomware will require action from everyone—tech companies, internet service providers, government agencies and, of course, individual users. 

With the volume and threats of ransomware (and other cyber attacks) on the rise, it’s time we start a new, national dialogue. We encourage our new Minister of Public Safety and Emergency Preparedness to strike up a public consultation on the threat that ransomware poses to public safety and national security as soon as possible. Until we have a plan to tackle this head on, too many Canadian organizations are at risk of being taken hostage.