In Canada, the ransomware business is booming, with some of the largest corporations having fallen victim to them, including London Drugs, the City of Hamilton, Ont., and the government of Newfoundland and Labrador. Even though criminals often boast about their attacks on the so-called dark web, if one examines the list of targets provided by B.C.-based threat analyst Brett Callow, it would seem that they are not fussy about their victims. One of these targets is an individual located in B.C. A charity for disabled children, the First Nation's
Health Authority and a library network are all part of the consortium.
In a world of emerging online security standards, cybersecurity experts say the spate of attacks has serious repercussions for victims and the public, and organizations need to protect themselves from these attacks with multiple layers. Callow thinks it is important to ban ransom payments outright, or at the very least to restrict the tide of attacks to be slowed. Eric Charleston, a lawyer in Toronto, says that the answer is not so straightforward.
As a result, he believes a ban would have meant that victims would have been punished. Nevertheless, the two agree that potential targets should be more secure to prevent breaches in the first place. Even though Charleston said many incidents go undetected, it is difficult to precisely estimate the apparent increase in ransom cyberattacks, in which hackers demand payment in exchange for releasing sensitive information.
Cybercriminals, who usually operate in foreign jurisdictions, have been allowed to monetize data theft by the advent of cryptocurrency, he explained. In addition, all of these transactions are recorded on the blockchain, which means that there are breadcrumbs pointing out the direction in which the money is being spent, he said. Charleston, the national co-leader of Borden Ladner Gervais LLP's cybersecurity team, says a data breach could have far-reaching implications for the entire organization. Amidst the "emerging" cybersecurity standards in Canada, they range from financial and reputational damage to possible legal liability.
A new federal law and an Ontario law proposed by Charleston could lead to the adoption of minimum security standards for specific sectors under new federal and Ontario laws. Data breaches can result in class-action lawsuits against targeted companies. The victims of a 2019 LifeLabs Inc. breach began receiving payments last month of $7.86 each for their losses.
The total amount of the settlement was $9.8 million, which might not seem like much, but it added up to a substantial sum. In the meantime, Callow claims that the stakes could be as high as life or death in this case.
There have been numerous studies conducted by researchers at the University of Minnesota School of Public Health that estimate there have been at least 42 deaths caused by ransomware attacks that disrupt hospital operations and threaten the lives of Medicare patients between 2016 and 2021. Charleston acknowledged that law enforcement has had some successes in recent years. LockBit has been referred to as the world's most harmful cybercrime group, a term used by the National Crime Agency of the United Kingdom in February about the disruption of its operations by a consortium of police agencies.
The Russian authorities identified a man last month as the "administrator and developer" of LockBit, a tool that allows global hackers to carry out attacks using a network of tools that they have developed. Callow, an employee at the New Zealand-based antivirus software company Emsisoft, stated that enforcement actions, such as the operation against LockBit, undermined cybercriminals' confidence. Nevertheless, LockBit quickly resumed operations on a new site. Callow noted that LockBit issued the ransom demand following the London Drugs hack detected in late April, which compelled the British Columbia-based retailer to close all its stores across Western Canada for approximately a week.
The company subsequently confirmed that data potentially containing some employee information was leaked, declaring itself "unwilling and unable" to pay a ransom to hackers it characterized as "a sophisticated group of global cybercriminals." Callow reassured that typically, no further action is taken with the stolen data, as it "just sits there on the dark web." He likened the pursuit of international cybercriminals expecting substantial ransoms from companies or institutions to a game of "whack-a-mole."
However, cybercriminals seeking ransoms are not the sole threat.
British Columbia officials have indicated that a "state or state-sponsored" actor was likely behind a series of attacks against the province detected in April. On Monday, Public Safety Minister Mike Farnworth reported that 22 government email inboxes containing the sensitive personal information of 19 employees might have been accessed during the breach. Canadian government officials, including Public Safety Minister Dominic LeBlanc, issued a joint statement on Monday to raise awareness about the threat posed by malicious cyber activities by foreign states and their affiliates.
The statement highlighted that certain foreign states were conducting "wide-ranging and long-term campaigns" to compromise Canadian government and private-sector computer systems, specifically naming China, Russia, Iran, and North Korea.
On Tuesday, Canada's auditor general released the results of a cybersecurity audit, revealing that the federal government lacked the capacity or tools to effectively counter increasingly sophisticated cyberattacks. In response, Ottawa is anticipated to launch a new national cybersecurity strategy this year, following the establishment of the National Cybercrime Coordination Centre in 2020.
A proposed cybersecurity bill is also progressing through the federal legislative process. If enacted, it would provide a framework for protecting online systems critical to national security or public safety, including empowering officials to require certain service providers to implement cybersecurity programs. Charleston commented that this bill and another in Ontario indicated that cybersecurity control parameters were being established in Canada.
Ontario's proposed legislation aims to enhance cybersecurity for public-sector institutions governed by existing privacy and freedom of information laws. According to Charleston, these emerging standards would likely evolve into a "road map" for arguments concerning liability and negligence following cyberattacks.
Callow asserted that cybersecurity should be regulated similarly to other sectors, such as aviation and automotive manufacturing.
Charleston, however, noted instances where cybercriminals blocked access to a company's system, which would have likely been unable to recover its data and resume operations if prevented from paying the ransom. Callow acknowledged his position as part of a "minority" in cybersecurity advocating for a ransom ban. Both experts emphasized that many threats with serious potential consequences could be averted through basic security measures, underscoring the importance of multi-layered security that continually monitors for abnormal activity. Charleston pointed out that organizations frequently update their systems, providing hackers with "fresh landscapes" to exploit.
