When the town of St. Marys, Ont., fell victim to a cyberattack last year, lawyers advised the municipality to pay a ransom of $290,000 in cryptocurrency. The decision was made after an analysis by firms specializing in cybersecurity. Al Strathdee, mayor of the southwestern Ontario town of about 7,000 residents, said the potential risk to people’s data was too high not to pay up. “We could not be certain that there wouldn’t be information leaked that would be damaging someone’s reputation or something,” he told Spark host Nora Young. Organizations — from corporations to small businesses, libraries to hospitals and towns to large governments — are facing similar dilemmas as cybersecurity incidents rise. Late last month, five hospitals in southwestern Ontario and the Toronto Public Library (TPL) announced that they were subjected to a ransomware attack. Confidential patient and staff information was accessed, and electronic medical records and emails remain unavailable, the hospital network said. Meanwhile, many of TPL’s online services have been down for weeks, and the personal information of employees, including social insurance numbers, was stolen. Despite the potential interruptions, cybersecurity experts say ceding to attackers’ demands isn’t always the solution. “I think that the payment of the ransom, even if you say this is worth it … really creates a larger cycle where this continues to be a problem because other criminals are looking at it and saying, ‘Oh, this is profitable, I should get in on this,'” said Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School at Tufts University near Boston Ransomware as a service Ransomware and malware are becoming easier for bad actors to acquire, as cybercriminals no longer have to write code and figure out how to distribute it on their own. Providers are offering ransomware as a service — similar to paying a monthly subscription to use an app or service on your smartphone — which can be easily deployed by those seeking to extort potential targets. “So you’re sort of hiring them to distribute ransomware on your behalf, and then you take some money from the target,” Wolff said. The provider then takes a cut of that group’s money. “It’s a way of sort of making ransomware more accessible to a larger group of criminals.” In the case of St. Marys, Strathdee said it’s likely the malware, LockBit 3.0, was in the municipal IT system “for quite some time,” and perpetrators claimed to have stolen and encrypted data. The mayor said that at the time of the attack in July 2022, the town was in the process of strengthening its security by moving many of its services to cloud-based systems. Strathdee said the municipality had to navigate the attack with limited support. “You feel like you’re on the Titanic when you’re starting this,” he told Spark. ‘Cyber poverty line’ Cybersecurity expert Ali Dehghantanha said it’s no surprise that a town like St. Marys was targeted. Attackers are going after organizations whose investment in cybersecurity measures falls below what’s known as the “cyber poverty line,” he said. “Attackers are always looking for low-hanging fruit, and usually those organizations who are not having a mature cybersecurity program are the best targets,” Dehghantanha, an associate professor of computer science at Ontario’s University of Guelph, said on The Current. “Whether they are private companies or hospitals or schools, it doesn’t really matter for the attackers as long as they can get access and drop the ransomware and make the user to pay.” Sixty per cent of small and medium-sized businesses in Canada are below that poverty line, said Dehghantanha, who is also a Canada Research Chair in cybersecurity and threat intelligence. St. Marys hired consulting company Deloitte and a London, Ont., law firm to advise on how to address the attack. An investigation found the threat of stolen data to be credible, and the municipal government was encouraged to pay for a decryption key to regain access. The attack ultimately cost the town $1.3 million, including the $290,000 ransom payment, according to a report released by the municipality, and led to an overhaul of the local government’s IT systems. ‘The cavalry didn’t come’ Dehghantanha said the decision of whether to pay a ransom should be made with cybersecurity experts. Even if an organization pays up, he said, there’s no guarantee that criminals will provide access to what’s been stolen — as many have been known to disappear after receiving payment. Decryptors are often already available for the most common types of ransomware, he said, so organizations may still be able to unlock their data without assistance from the attackers. “Those people who are experts in this field can make the judgment call there whether that specific hacking team has a reputation to return back the data, looking at the nature of the ransomware [and] whether it’s something that can be even retrieved,” Dehghantanha said. Organizations facing a cyberattack can also consult No More Ransom, an online resource dedicated to resolving ransomware threats. “There’s not very widespread awareness of these tools, and there’s also a lot of shame and uncertainty around what to do when you’re the victim of these attacks,” said Wolff of Tufts University. The threat of cyberattacks isn’t going anywhere, experts say. Governments need to do more to support organizations facing threats, they argue, while artificial intelligence tools coming onto the market will provide more proactive monitoring. Strathdee of St. Marys said support from governments and law enforcement was limited, and collaboration is essential. He said governments should work together to better support smaller municipalities and organizations from cyberattacks. “It was like a smash and grab, and there was nobody there to jump in,” he said of his town’s ransomware experience. “The cavalry didn’t come, and the cavalry still isn’t there.” Interviews with Al Strathdee and Josephine Wolff produced by Magan Carty. Ali Dehghantanha interview produced by Meli Gumus and Niza Lyapa Nondo.
Paying ransom for data stolen in cyberattack bankrolls further crime, experts caution
