Every year CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber-threats. This year’s survey was conducted by The Strategic Counsel in July and August, and collected over 500 responses from IT professionals across the country.
On the morning of May 7, Colonial Pipeline saw a ransom note flash up on the screen in its control room. A little more than an hour later, a supervisor decided to shut down the entire pipeline. Before the end of the day, CEO Joseph Blount Jr. made the decision to pay the ransom – nearly $5 million USD in bitcoin.
Blount recounted the day’s events to a Senate committee on June 8, as reported by CNBC. Despite the stance of the FBI from paying extortion fees to hacker groups, Blount said he needed to pay the ransom to have every tool available to restart the pipeline. Ponying up to the DarkSide ransomware group for the decryptor tool was a small cost compared to the magnitude of the disruption caused by the outage, one that Colonial imposed upon itself to investigate how much damage the attack wrought.
Though paying a ransom is frowned upon by law enforcement agencies, Colonial Pipeline was in the clear legally. Only if DarkSide had been on the U.S. list of sanctioned organizations would it have been illegal. The payment prompted a reaction from the highest levels of the U.S. government, with the Transportation Security Administration announcing a new policy to require pipeline operators to report cyberattacks within 12 hours. U.S. President Joe Biden signed an Executive Order to create a Cyber Safety Review Board to investigate and debrief significant cyber attacks.
That sort of swift action at the federal level is lacking in Canada, despite being one of the top countries impacted by ransomware, in the assessment of the Canadian Centre for Cyber Security (CCCS). The full extent of the problem is made murky because most attacks go unreported. Yet when ransomware attacks are successful, most Canadian organizations make the same decision that Blount made on May 7 – they pay up.
Seventeen per cent of organizations admit having been the victim of a successful ransomware attack in the last 12 months, according to CIRA’s 2021 Cybersecurity Report. And among the victims, 69 per cent say they paid the ransom (based on the limited sample size).
Survey data suggests a substantial majority of Canadian organizations pay ransomware demands.
17% hit with ransomware
69% paid the ransom
Among those who experienced a ransomware attack, over two-thirds indicate that the organization paid ransom demands.
Paying the ransom is just one of the many pains experienced by ransomware victims. About one-third of them say they were damaged by recovery costs and fees, 30 per cent were affected by a loss of revenue, 30 per cent report a loss of customers, and 30 per cent say they had to provide customer support and communication because of the incident. About one quarter say they suffered reputational damage.
One-third cite tying up employees’ time. 19 per cent cite reputational damage, up from 6 per cent in 2018.
More Canadian organizations are reporting damage to their reputation because of cyberattacks in general. Almost one in five organizations cite it as an impact related to cyber attacks in the past 12 months—an increase from just six per cent back in 2018. Given the fear of negative headlines and damaged trust with customers and employees, it’s understandable why many organizations are choosing to quietly log on to a crypto exchange to pay off hackers when given the option.
Ransomware attacks have impacted hundreds of Canadian businesses and critical infrastructure providers over the last two years and the problem is only going to get worse in the months ahead, according to CCCS. And considering that the alternative to paying up is even worse, you can bet that ransomware outfits will continue to profit. So what’s the solution? One way or the other, government needs to take action to change the economics around ransomware.
On one side of the equation, government action could make it more difficult to operate a ransomware operation. Right now, ransomware groups are tolerated by certain countries that see a strategic advantage to allying with them. The CCCS points to examples of Russia and North Korea.
For Canada, which isn’t cozying up with any ransomware groups, it may have to look at the other side of the equation and give victims a reason to think twice about paying an extortion fee. Almost two-thirds of cybersecurity professionals support legislation that would prohibit ransom payments, according to CIRA’s survey. Only seven per cent say they oppose the idea, with 22 per cent saying they neither support nor oppose it.
Of course, if the government doesn’t know about a ransom payment, it can’t enforce a law against it. That’s why if governments are going to consider using the stick to deter victims from paying up, they’ll also have to dangle a carrot to motivate them to do the right thing.
That’s the approach recommended by a ransomware task force group (members include the RCMP’s National Cyber Crime Coordination Unit) assembled by the U.S.-based Institute for Security and Technology, reports IT World Canada. Among their recommendations are suggestions to create Cyber Response and Recovery Funds to support victims and require them to consider alternatives to forking over bitcoin. At a minimum, organizations should be reviewing the free decryption tools provided by No More Ransomware, a partnership between industry and international law enforcement.
If the government is going to succeed in deterring ransomware payments, it will also need to have the stomach for the resulting fallout — an angered group of hackers that aren’t getting their payday, and the potential of critical infrastructure at their mercy. Will the Government of Canada take the bold action needed to help curb the threat of ransomware?
In the next blog post, we’ll explore how ransomware payments are playing a role in making cybersecurity insurance more expensive.