Spark

Paying ransom for data stolen in cyberattack bankrolls further crime, experts caution

Organizations are finding themselves on the receiving end of cyberattacks, including ransomware, where they're under pressure to pay hackers for access to their stolen data. Despite the potential interruptions, experts say ceding to attackers' demands isn't always the solution.

Ceding to demands can alert other hackers, with no guarantee access will be granted

Close up of hands on a laptop keyboard. Green text, suggestive of lines of code, appear on the computer screen.
Organizations big and small are finding themselves victims of cyberattacks, including ransomware, where they're under pressure to pay hackers for access to their stolen data. Despite the potential interruptions, experts say ceding to attackers' demands isn't always the solution. (Tero Vesalainen/Shutterstock)

When the town of St. Marys, Ont., fell victim to a cyberattack last year, lawyers advised the municipality to pay a ransom of $290,000 in cryptocurrency.

The decision was made after an analysis by firms specializing in cybersecurity. Al Strathdee, mayor of the southwestern Ontario town of about 7,000 residents, said the potential risk to people's data was too high not to pay up.

"We could not be certain that there wouldn't be information leaked that would be damaging someone's reputation or something," he told Spark host Nora Young.

Organizations — from corporations to small businesses, libraries to hospitals and towns to large governments — are facing similar dilemmas as cybersecurity incidents rise. Late last month, five hospitals in southwestern Ontario and the Toronto Public Library (TPL) announced that they were subjected to a ransomware attack.

Confidential patient and staff information was accessed, and electronic medical records and emails remain unavailable, the hospital network said. Meanwhile, many of TPL's online services have been down for weeks, and the personal information of employees, including social insurance numbers, was stolen.

Despite the potential interruptions, cybersecurity experts say ceding to attackers' demands isn't always the solution.

"I think that the payment of the ransom, even if you say this is worth it ... really creates a larger cycle where this continues to be a problem because other criminals are looking at it and saying, 'Oh, this is profitable, I should get in on this,'" said Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School at Tufts University near Boston

Ransomware as a service

Ransomware and malware are becoming easier for bad actors to acquire, as cybercriminals no longer have to write code and figure out how to distribute it on their own.

Providers are offering ransomware as a service — similar to paying a monthly subscription to use an app or service on your smartphone — which can be easily deployed by those seeking to extort potential targets.

"So you're sort of hiring them to distribute ransomware on your behalf, and then you take some money from the target," Wolff said. The provider then takes a cut of that group's money.

"It's a way of sort of making ransomware more accessible to a larger group of criminals."

WATCH | The rise of hacking group LockBit:

The ransomware gang that's a global threat | About That

1 year ago
Duration 10:49
Cybersecurity agencies from seven countries issued an advisory about LockBit, a group responsible for as much as a quarter of all ransomware attacks. Andrew Chang explores its rise to notoriety and how it became a public enemy.

In the case of St. Marys, Strathdee said it's likely the malware, LockBit 3.0, was in the municipal IT system "for quite some time," and perpetrators claimed to have stolen and encrypted data. The mayor said that at the time of the attack in July 2022, the town was in the process of strengthening its security by moving many of its services to cloud-based systems.

Strathdee said the municipality had to navigate the attack with limited support.

"You feel like you're on the Titanic when you're starting this," he told Spark.

A smiling man wearing a suit stands in front of three flags. One of the flags is the Ontario flag.
Al Strathdee is the mayor of St. Marys, in southwestern Ontario. In July 2022, the town was the victim of a cyberattack that ultimately cost $1.3 million, including a $290,000 ransom payment. (Town of St. Marys)

'Cyber poverty line'

Cybersecurity expert Ali Dehghantanha said it's no surprise that a town like St. Marys was targeted. Attackers are going after organizations whose investment in cybersecurity measures falls below what's known as the "cyber poverty line," he said.

"Attackers are always looking for low-hanging fruit, and usually those organizations who are not having a mature cybersecurity program are the best targets," Dehghantanha, an associate professor of computer science at Ontario's University of Guelph, said on The Current.

"Whether they are private companies or hospitals or schools, it doesn't really matter for the attackers as long as they can get access and drop the ransomware and make the user to pay."

A man with brown hair and a beard, and wearing glasses, stands near a colourful wall hanging.
Ali Dehghantanha, a cybersecurity expert and associate professor at the University of Guelph, says attackers target organizations whose investment in cybersecurity measures falls below what's known as the 'cyber poverty line.' (University of Guelph)

Sixty per cent of small and medium-sized businesses in Canada are below that poverty line, said Dehghantanha, who is also a Canada Research Chair in cybersecurity and threat intelligence.

St. Marys hired consulting company Deloitte and a London, Ont., law firm to advise on how to address the attack. An investigation found the threat of stolen data to be credible, and the municipal government was encouraged to pay for a decryption key to regain access.

The attack ultimately cost the town $1.3 million, including the $290,000 ransom payment, according to a report released by the municipality, and led to an overhaul of the local government's IT systems.

LISTEN | Ali Dehghantanha on the threat of ransomware:

'The cavalry didn't come'

Dehghantanha said the decision of whether to pay a ransom should be made with cybersecurity experts. Even if an organization pays up, he said, there's no guarantee that criminals will provide access to what's been stolen — as many have been known to disappear after receiving payment.

Decryptors are often already available for the most common types of ransomware, he said, so organizations may still be able to unlock their data without assistance from the attackers.

"Those people who are experts in this field can make the judgment call there whether that specific hacking team has a reputation to return back the data, looking at the nature of the ransomware [and] whether it's something that can be even retrieved," Dehghantanha said.

WATCH | What to do if your data has been stolen:

How to know if you've been hacked — and what you can do to protect yourself

1 year ago
Duration 1:26
Data breaches, hacks and ransomware attacks seem to be in the news more often. But cybersecurity experts say there are helpful steps you can take to protect yourself in the wake of a data breach, and to prepare for the next time it happens.

Organizations facing a cyberattack can also consult No More Ransom, an online resource dedicated to resolving ransomware threats.

"There's not very widespread awareness of these tools, and there's also a lot of shame and uncertainty around what to do when you're the victim of these attacks," said Wolff of Tufts University.

The threat of cyberattacks isn't going anywhere, experts say. Governments need to do more to support organizations facing threats, they argue, while artificial intelligence tools coming onto the market will provide more proactive monitoring.

Strathdee of St. Marys said support from governments and law enforcement was limited, and collaboration is essential. He said governments should work together to better support smaller municipalities and organizations from cyberattacks.

"It was like a smash and grab, and there was nobody there to jump in," he said of his town's ransomware experience.

"The cavalry didn't come, and the cavalry still isn't there."


Interviews with Al Strathdee and Josephine Wolff produced by Magan Carty and Sameer Chhabra. Ali Dehghantanha interview produced by Meli Gumus and Niza Lyapa Nondo.

ABOUT THE AUTHOR

Jason Vermes

Journalist

Jason Vermes is a writer and editor for CBC Radio Digital, originally from Nova Scotia and currently based in Toronto. He frequently covers topics related to the LGBTQ community and previously reported on disability and accessibility. He has also worked as an online writer and producer for CBC Radio Day 6 and Cross Country Checkup. You can reach him at jason.vermes@cbc.ca.