Cyberattacks like U of C ransomware case easy to launch, security expert warns
Dave Dormer | CBC News | Posted: June 8, 2016 6:45 PM | Last Updated: June 8, 2016
Instructions on how to do ransomware attacks are readily available online
It doesn't take a much skill to pull off a ransomware attack like the one that cost the University of Calgary $20,000, warns a cyber-security expert.
"They don't need a lot of skill these days. They can go into the dark web, they can buy the kits. They don't need a lot of expertise," said Kathy Macdonald, who spent 25 years as a police officer — 15 of those working in cyber security and safety.
She said there's step-by-step instructions on the web and people who will give lessons.
"Because they're using Bitcoin, a virtual currency that for the most part is practically impossible to track, they get away. They disappear into the ether."
Hackers managed to infect the U of C computer system with ransomware last week, effectively holding staff and faculty email access hostage until a $20,000 ransom was paid.
"When it happened, I was at the anti-phishing working group conference in Toronto and that's exactly what we were talking about was ransomware and spear phishing and phishing because it is big business. It's very prolific," said Macdonald.
"When I was in Toronto I ran into a couple of people, individuals, who had actually paid the ransom."
She said it affects individuals to small- and medium-sized companies to large institutions like hospitals, universities and government agencies.
Finding out who is behind the attacks isn't always possible.
"There are wide gaps in these kinds of investigations," said Macdonald.
"Police are always behind the eight-ball because they have to work trans-nationally, [cyber criminals] are all over the world and it's very difficult to track and trace these people."
Education the key
Having proactive computer policies in place is one defence against an attack.
"Really, prevention and being proactive is the best way to avoid this and reduce the risk," said Macdonald.
"User education is by far one of the best things you can do, talking to employees about phishing and spear phishing and just explaining what the behaviour entails."
Phishing and spear phishing is when hackers send emails to users, usually disguised as coming from someone they know, in an attempt to get the user to click a link that allows the hackers access to the system.
"Usually it appears to come from somebody within the company or a friend or it's very casual sounding language that tricks the person to clicking on the link because they think they're supposed to," said Macdonald.
"They've been asked to do something, they've been invited to do something and it's very malicious from that standpoint."
Trust your gut
The best way to avoid clicking a bad link is to be skeptical.
"Pause, stop, read," said Macdonald.
"Ask yourself, 'Is this normal behaviour? Would somebody be sending it at this time of day? Is this their typical sounding language?' And if it's not, pick up the phone and ask the question, 'Did you send me this?'"