A ransomware attack on the Resort Municipality of Whistler (RMOW) could have far-reaching consequences, according to a cyber security expert, but there’s no way of knowing for sure until a full forensic investigation is completed.
In a recent post to the dark web (a part of the internet not visible to search engines, and accessed through an anonymous browser called Tor), the cyber criminals claim to have accessed about 800 gigabytes of RMOW data.
“Whistler people personal information (names, addresses) sql databases, stats, huge email dumps, emails database, passwords, network scheme, services, private documents placed on darknet auction,” the post read.
“It will be sold in next 7 days. Follow to chat to bet. ~800gb of archive. Yum yum.”
But there’s no way of knowing what the criminals actually have, said Brett Callow, threat analyst with Emsisoft, a cyber security company with a particular expertise in ransomware.
“These are criminal organizations. They don’t always tell the truth,” Callow said, adding that, because the cyber criminal’s systems are all scrambled, it’s not at all easy to work out what data was taken.
“It can require a forensic investigation that can take several weeks to complete, if they can work it out at all,” he said.
“And the criminals do attempt to use that uncertainty. There are cases where they will claim to have more data than they actually do. There are also, however, cases where they have exactly what they claim to have, so there really is no way of knowing.”
Data is stolen in about 70 per cent of ransomware attacks, Callow said.
As for the amount that could be being demanded, “it could be a lot,” he said.
“The highest amount on record to date, at least the highest amount to have become publicly known, is $50 million.”
While “it’s very hard to say” how local governments should respond to threats like this, “my personal feeling is that organizations should never pay,” Callow said.
“It doesn’t guarantee they will get their data back, it doesn’t guarantee that the criminals will not misuse whatever data was stolen, and of course it simply incentivizes the cyber crime.”
And while it’s still unclear how the hackers breached the RMOW servers, in about 50 per cent of cases, it is through email phishing scams, Callow said—instances where someone has inadvertently downloaded remote access software.
“That gives the criminals access to the network. They can then use various methods to move laterally throughout it; they elevate their privileges, they disable security products, they suck out the data, and then when they’re good and ready they finally encrypt the network,” he said.
“And that is the point at which the organization realizes it has a major problem. But of course by that point their data is already long gone.”
With the technology and tactics constantly evolving, safeguarding against cyber crime is “a constant and ongoing game of Whack-a-Mole,” Callow added.
While the extent of the breach is still unknown, Whistlerites—and indeed any business or organization that has an account with the RMOW— should “work on the assumption that the cyber criminals now have whatever information the municipality held about me,” Callow said.
“That may not be the case, but it is best to be safe than sorry.”
A report published recently by Emsisoft estimates that the average ransomware demand grew by more than 80 per cent globally in 2020, with a minimum of $18 billion paid in ransoms.
In Canada, there were 4,257 reports of ransomware demands, with a minimum cost of about $165 million.
“The data that ends up being posted online in these cases can be extremely sensitive. We have seen information relating to alleged cases of child abuse, for example, be posted online, [and] medical reports about those children, when social services departments and/or healthcare providers have been hit,” Callow said.
“And that’s really terrible. If your financial information leaks, at least you can eventually fix your credit. When extremely sensitive personal information like that leaks, once it’s out there, it’s out there. There’s nothing you can do about it at all.”
RMOW CONDUCTING FORENSIC INVESTIGATION; SERVICES REMAIN OFFLINE
The RMOW is conducting a forensic investigation to determine what information was accessed by the hackers, and is asking the public to be vigilant about communications appearing to come from the RMOW.
The municipality does not ask for private information by phone or email, the RMOW said in a recent update at whistler.ca
"We are taking it extremely seriously and are working with cyber security experts and the RCMP to confirm the nature of the threat. In the event personal information is impacted, we are putting measures in place to protect those people," an RMOW spokesperson said in a text message, adding that the RMOW has full control over its servers and website.
The municipality also has cyber security insurance to protect from criminal activity such as this, the spokesperson said.
Should the forensic investigation determine that personal information was accessed, the RMOW said it will inform affected individuals immediately. Meanwhile, the municipality is further strengthening its security safeguards to ensure that all information in its custody remains secure, according to an update posted to whistler.ca.
“I appreciate that this is having a large impact on our community already challenged by COVID-19, as well as Whistler property owners and those who have accessed RMOW services in the past,” said chief administrative officer Virginia Cullen. “Although we have robust protections in place to prevent this type of illegal event, these cyber criminals breached our server. As soon as we were aware of this, we took measures to prevent further access, and are now in the process of working with cybersecurity experts before we put the system back online.”
Infrastructure such as water and sewage, and emergency systems such as 911 and the Whistler Fire Department have been secured and continue to operate as normal, though RMOW email, phone and network services are still offline. In-person service at municipal hall has also been temporarily suspended.
All council meetings scheduled for Tuesday, May 4 have been cancelled.
An Incident Command Team has been activated to focus on business continuity and restoration of services, and the public can call 604-932-5535 from 8 a.m. to 4:30 p.m. Monday to Friday with any questions.
After gaining access to the municipal server earlier this week, the "cyber criminals" left an ominous message.
“this is very fun … guys, if we do not talk now, you’ll have big troubles in future,” read the message.
“I have a lot of patches on your systems to gain access and you can’t restore your network from backups again. So talk in chat and i’ll stop this now. I’m waiting.”
The message included a link to download the Tor browser, which enables anonymous communication online, along with another link followed by more ominous words: “no way to run.”
Find updates at whistler.ca, and check back with Pique for more as this story develops.