Businesses have failed to upgrade security or put systems in place to prevent attacks
When Colonial Gas – the largest petroleum pipeline in the United States -- was hacked in May, it disrupted a major supply of fuel to the East Coast for about a week. That ended when the company paid US$4.4 million in ransom to the cyber-criminals responsible for taking its fuel pipeline offline (though some of the ransom, paid in bitcoin, was ultimately recovered by U.S. authorities).
But while ransom demands for the control of data isn’t going away, businesses can be much better prepared to thwart those hacks, experts say.
The speed at which ransomware attacks have continued to grow is surprising, says Sunny Handa, a Montreal-based partner in Blake, Cassels & Graydon LLP’s Cybersecurity group and a co-author of the firm’s recently released Canadian Cybersecurity Trends Study 2021, as is the increasingly large ransoms demanded for stolen data over the past two to four years. The more sophisticated attacks can result in ransom demands of tens of millions of dollars, he says.
“Over the past year, it’s gotten crazy, and we’ll have to deploy a lot more resources” to meet client demand, he says. “The growth has been dramatic.”
Statistics show that the incidence of ransomware attacks has increased steadily since 2014, with a dramatic increase in North America since then, says Darren Reed, a litigation partner in Fasken Martineau DuMoulin LLP’s Calgary office who works on national security, as well as privacy and cybersecurity matters.
Yet although they are a continuing trend, businesses have not prepared properly for them in failing to upgrade security or put systems in place to prevent attacks, Handa says.
Sodinokibi was one form of ransomware that launched several high-profile attacks in 2019 and 2020, using familiar techniques such as emails with spear-phishing links or attachments, and RDP access that uses valid accounts and compromised websites. Its authors have been connected to those of GandCrab ransomware, which before it was retired was responsible for an estimated 40 per cent of all ransomware infections globally.
And cyber-criminal groups are much more organized and sophisticated than they were, says Handa. “You’re playing defence for your clients, and they’re playing defence.”
Much of this is organized crime, some tied to countries such as Russia and North Korea, says Reed, who was a presenter at Fasken’s recent webinar “Ransomware: To Pay or Not to Pay?”.
Most ransom demands are now being made using bitcoin or other cryptocurrencies, he says.
Who is being targeted
While some cyber-criminals go after “the big fish,” others have been making multiple attacks on smaller businesses, says Reed. Mom-and-pop businesses often don’t have the funds to pay, he notes, and “these attacks devastate their business” if they lose a lot of data.
And as the Colonial attack demonstrated, cyberattacks can be disruptive to the economy as well as the security of nations. “The incidence of attacks on major food producers [and more] has increased dramatically; it can disrupt food supply and critical resources,” he adds. “That’s why the government has paid heightened attention to this.”
The costs to businesses
Governments are now requiring breach reporting by public companies to privacy commissioners where personal information of individuals is accessed and there’s a substantial risk of harm to the individual as a result of the access. This reporting is expensive, not least because companies that do business in multiple jurisdictions are paying legal fees in those jurisdictions, too, Reed says, to engage counsel there.
Companies must also be wary of violating state sanctions in making payments. In Canada, for example, the Special Economic Measures Act makes it an offence to pay money to sanctioned entities, of which many are listed under the Consolidated Canadian Autonomous Sanctions List, says Patrick McCann, a Fasken counsel in white-collar litigation in Ottawa. The anti-terrorism provisions of the Criminal Code, also apply, he says.
If ransom payments violate any of the U.S. sanctions lists, companies could be subject to prosecution even if that payment didn’t take place in the U.S., McCann adds. This would be the case if a payment “involves a U.S. person or U.S.-origin product, [including] software or technology, or if it involves activity within a U.S. territory. That covers a wide spectrum.”
Cyber litigation is already starting to heat up, says Handa, who predicts there’ll be more of it. “We’re at … the early stages of litigation” now.
What can be done
Many law firms and consulting companies offer clients educational materials and training of upper management, addresses to board of directors, and running mock training and scenarios, says Handa.
“The architecture of your network, your password policies, [and] your insurance; is that properly set up, do you have a breach coach, and do you provide your employees training on cybersecurity?” That’s especially important in today’s employment market that has a higher staff turnover, he says.
There has also been discussion in government about the importance of addressing the issue, McCann notes, “and whether that comes in the form of legislation that prohibits the payment of ransomware. That may cause a lot of suffering in the short term, but that would probably end the practice very quickly, too.”