Cybersecurity standards emerging in Canada as ransomware business grows

The ransomware business is booming in Canada.

Recent victims have included large corporations such as retailer London Drugs, as well as the city of Hamilton, Ont. and the government of Newfoundland and Labrador.

But the criminals who sometimes brag about their attacks on the so-called dark web don’t seem fussy about their targets, based on a small sample of targets listed by BC threat analyst Brett Callow. These included a BC library network, the province’s First Nations Health Authority and an Ontario charity for children with disabilities.

Cybersecurity experts say the wave of attacks has serious implications for victims and the public, and organizations need multiple layers of protection in a landscape of nascent online security standards.

Callow favors a total ban on ransom payments, or at least regulations that limit them, to stem the tide of attacks.

Toronto lawyer Eric Charleston says it’s not that simple and has seen cases where a ban would have meant “punishing the victims.”

But both agree that potential targets would need to step up security to prevent breaches from happening at all.

Charleston said many incidents go unreported, so it’s hard to accurately measure the apparent rise in ransomware cyberattacks, where hackers demand payment or release sensitive data.

However, the rise of cryptocurrency has given cybercriminals who often operate in foreign jurisdictions a way to monetize data theft, he said.

“The fact that all these transactions are recorded on the blockchain (means) the breadcrumbs are where this money goes,” he said.

“But at the end of the day, if you have different regulations on how people can withdraw from their crypto accounts … (they) can come in and take the money.”

The potential implications of a data breach are far-reaching, said Charleston, national cybersecurity co-leader with Borden Ladner Gervais LLP.

These range from financial and reputational damage to possible legal liability amid “emerging” cybersecurity standards in Canada, he said. Charleston said proposed new federal and Ontario laws could spell minimum security levels for certain sectors.

Targeted companies may face class-action lawsuits over data breach — last month, victims of a 2019 breach at LifeLabs Inc. they began receiving payments of $7.86 each. It doesn’t seem like much, but the total settlement came to $9.8 million.

Meanwhile, Callow said the stakes could be life or death. He pointed to work by researchers at the University of Minnesota School of Public Health who estimated that ransomware attacks that disrupted hospital operations killed at least 42 US Medicare patients between 2016 and 2021.

WHACK-A-MOLE GAME

There have been some wins for law enforcement, Charleston said.

In February, the UK’s National Crime Agency led a consortium of police agencies in disrupting LockBit’s operations, calling it “the world’s most damaging cybercrime group”. A subsequent statement last month identified a Russian man as the “administrator and developer” of LockBit, which provides a global network of hackers with the tools they need to carry out attacks.

Callow, who works for New Zealand anti-virus software company Emsisoft, said law enforcement such as the operation against LockBit had undermined the confidence of cybercriminals.

But LockBit was soon up and running on a new site, he said.

Callow said LockBit issued a ransom demand for the London Drugs hack that was detected in late April and forced the BC retailer to close all of its stores in western Canada for about a week.

The company later confirmed that data had been released that “may contain some employee information”, saying it was “unwilling and unable” to pay a ransom to the hackers it described as “a sophisticated group of global cybercriminals”.

Callow said the good news for individual employees is that nothing usually happens to their stolen data. “It’s just sitting there on the dark web,” he said.

He compared catching international cybercriminals hoping for a big payday from companies or institutions to a game of “whack a mole”.

“The faster you can hit them, the less damage they can do.”

But cyber criminals looking for ransoms are not the only threat.

BC officials said a “state or state-sponsored” actor was likely responsible for a series of attacks against the province detected in April. On Monday, Public Safety Minister Mike Farnworth said 22 government mailboxes containing sensitive personal information of 19 employees may have been accessed during the breach.

Canadian government officials, including Public Security Minister Dominic LeBlanc, issued a joint statement Monday aimed at raising awareness of the threat “presented by malicious cyber activity of foreign states and their affiliates.”

Certain foreign states were conducting “extensive and long-term campaigns” to compromise Canadian government and private sector computer systems, the statement said, singling out China, Russia, Iran and North Korea.

On Tuesday, Canada’s auditor general released the results of a cybersecurity audit, finding that the federal government does not have the capacity or tools to effectively combat increasingly sophisticated cyberattacks.

In this context, Ottawa is expected to launch a new national cyber security strategy this year, following the creation of the National Cybercrime Coordination Center in 2020.

A proposed cybersecurity bill is also making its way through the federal legislative process. If enacted, it would provide a framework for protecting online systems vital to national security or public safety, including empowering officials to require certain service providers to implement cybersecurity programs.

Charleston said that bill and another in Ontario showed the parameters for cybersecurity controls were being set in Canada.

Ontario’s proposed legislation was aimed at improving cyber security for public sector institutions governed by existing privacy and freedom of information laws.

The emerging standards will likely become a “road map” for liability and negligence arguments following cyber attacks, Charleston said.

“It’s less likely, I think, that the courts will go into what meets the standard of adequate data security and cybersecurity controls … until some of that guidance comes from the government,” he added.

Callow said cybersecurity should be subject to standards similar to how other sectors, such as aviation and automobile manufacturing, are regulated.

But he went further, calling for a total ban on ransom payments. Callow pointed to a recent media report suggesting UK officials should launch a public consultation on proposals to either ban such payments or require victims to report a breach to the government, then seek a license before making any payment.

“All these things would not only reduce payouts, but also help us better understand how many attacks there are, if things are going the right way or the wrong way, if the policies, the strategies are actually working,” he said.

Charleston took a different approach, saying he’s seen cybercriminals lock down access to a system belonging to a company that likely would never have been able to recover its data and resume operations if it had been barred from paying the ransom.

Callow acknowledged that he was among a “minority” in cybersecurity that advocated banning ransoms.

Both experts said some threats with potentially serious consequences could be prevented by basic security measures, although they emphasized the importance of multi-layered security and constant monitoring for anomalous activity.

Charleston said organizations are constantly updating their systems, giving hackers “fresh landscapes” to exploit.

“The way the bad guys get in is constantly changing, and the battleground is constantly changing for cybersecurity professionals to keep these organizations safe.”

This report by The Canadian Press was first published on June 5, 2024.

Brenna Owen, Canadian Press