Emily Xiang is an is an IPilogue Writer, President of the Intellectual Property Society of Osgoode (IPSO), and a 2L JD Candidate at Osgoode Hall Law School.
Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP who practices in the areas of intellectual property and information technology law.
This article was originally published on the OBA’s Information Technology and Intellectual Property Law Section’s articles page.
The threat of cyber attacks is no longer restricted to TV shows and movies, with cyber security incidents like ransomware attacks becoming far more frequent in daily life. While the COVID-19 pandemic may have slowed many aspects of society, ransomware has seen a marked increase in recent years around the globe – and Canada is no exception.
THE GROWING RANSOMWARE THREAT
Ransomware incidents involve threat actors infiltrating an organization’s defenses and deploying malware to prevent the company from accessing its information. Though the specific tactic may differ between threat actors, users will ultimately find themselves unable to access vital data and key systems unless the organization pays a ransom to the threat actors, usually in the form of digital currency. During the incident, threat actors may also extract data from the company’s network, which can have serious privacy consequences for the organization and its customers. Not only will their data be in the hands of an unknown party, but in many cases, threat actors may threaten to publish the exfiltrated information online if the organization refuses to provide them with payment.
Ransomware saw record-breaking numbers last year. By the end of the first half of 2021, global ransomware attacks had increased by 151% as compared to the previous year, with ransom payments of up to CAD$48.4M being paid out to hackers. In Canada, the Canadian Centre for Cyber Security (the Cyber Centre) has knowledge of at least 235 ransomware incidents that occurred over the course of 2021 (though, it is important to note that the majority of ransomware attacks go unreported). Out of the known ransomware incidents that were reported to the Cyber Centre, more than half involved critical infrastructure providers. However, the Office of the Privacy Commissioner of Canada (the OPC) stresses that no sector is fully immune from an attack, as incidents of ransomware have occurred indiscriminately since 2020 in not-for-profit, professional, financial, transportation, manufacturing, and retail sectors.
The increase in ransomware incidence and scope in recent years is partly attributed to the growing sophistication with which cyberattacks may now be conducted. A number of key trends in ransomware have arisen, and are rapidly changing the cybercrime landscape. For instance, ransomware-as-a-service (RaaS) is a model that allows developers to sell and/or lease ransomware to cybercriminals whilst being paid a percentage of the profit. These kinds of schemes allow an increased number of unskilled threat actors to get a hold of sophisticated ransomware technology, while providing skilled attackers the opportunity to profit from the mass distribution of their work. The world has also seen an increase in victims of high-impact targeting, wherein more targeted attacks are being launched at supply chains and essential services in order to maximize potential victims and profits. For instance, many threat actors have leveraged the COVID-19 pandemic to aim at high-impact targets that have become especially vital in current circumstances, such as emergency medical services and law enforcement agencies. As stated by chief information officer Amar Yousif at UTHealth in Houston, “[a]ttackers [targeting hospitals] understand that we’re talking about life and death. There’s a great incentive to just pay and get the thing unlocked so we can treat patients.” In finding more opportune ways to breach vulnerable organizations, threat actors are demonstrating that their targeting schemes are becoming increasingly sophisticated, as well as strategic.
SEVERE FALLOUT FROM ATTACKS
Ransomware attacks may have far-reaching implications on company operations. On May 7th, 2021, American oil company Colonial Pipeline fell victim to a ransomware attack that immobilised several of its computerized equipment systems. As a result, operations for the largest fuel pipeline in the US were temporarily suspended, resulting in price spikes and fuel shortages for millions of Americans. Even more recently, global human resources company Ultimate Kronos Groups (UKG) was also hit with a ransomware attack on December 11th, 2021, resulting in a worldwide shutdown of their cloud services. The incident impacted millions of users, with employees who relied on UKG’s cloud system reporting paychecks short by hundreds or even thousands of dollars, as their employers struggled to find alternative means for managing payroll. Kronos is known to service tens of thousands of organizations – including half of the Fortune 100 – and more than 40 million people in over 100 countries everyday, including businesses in Canada.
A CALL FOR ACTION
The Cyber Centre predicts that ransomware will continue to pose a threat to national security and economic prosperity in 2022. They also predict that threat actors utilizing ransomware will likely become increasingly aggressive in their operations and targeting schemes. Similarly, the OPC emphasizes the potential harm that can result from this type of attack and considers such incidents to meet the real risk of significant harm threshold under the Personal Information Protection and Electronic Documents Act. As part of an ongoing, national effort to mitigate the effects of ransomware and related cyber threats, the Canadian government has urged organizations to take this matter seriously and address it head-on through adopting proper security measures.
PREPARING FOR RANSOMWARE ATTACKS
Cyber Security Preparations
To assist organizations in their cybersecurity preparation, the Cyber Centre recently released a Ransomware Playbook (the Playbook) with guidance on how to defend against and recover from cyberattacks. It recommends that businesses implement cyber defence planning strategies, such as preparing multiple backup systems ahead of time. Backup systems provide organizations with a copy of their data, which can then be used for restoration activities in the wake of a ransomware attack. When developing a plan for implementing backup systems, it may be useful to contemplate the frequency and extent that the data should be backed up and storage considerations for the backup systems. The Cyber Centre advises that backups stored online within the organization or on a cloud platform are more commonly susceptible to ransomware attack, while backup systems stored offline, in a separate physical location from the main business site and disconnected from its networks, offer the most protection against ransomware incidents.
In addition to preparing backups, the Playbook has details on different cyber security controls that can be implemented as part of the organization’s defenses. For example, having multi-factor authentication (MFA) in place on company devices may assist in thwarting off threat actors. It may also serve to hinder threat actors from gaining full access to target systems in the event that they are successful in getting past initial IT defenses. In addition to MFA, businesses may want to consider having a system that can continuously monitor their network and establish an acceptable baseline of activity. This can be used to flag anomalies in activity patterns and sound the alarm when there is a potential risk to the organization.
Planning Ahead
Apart from having technical controls, it may be prudent to consider creating plans that serve as reference guides during ransomware incidents. The Cyber Centre suggests creating an incident response plan that is geared towards cyber defense strategy, including detecting and responding to an attack. The incident response plan can include the objectives, stakeholders, responsibilities, communication methods, and escalation processes that are involved in the response strategy. To formulate this plan, organizations may want to conduct a risk assessment of their assets and identify the potential consequences that would result from them being compromised, so as to discern the business’ response priorities. When drafting the incident response plan, it may be beneficial to keep the plan simple and flexible, so that it can be easily adapted to the circumstances of the actual event.
To compliment the incident response plan, businesses could consider developing a disaster recovery plan that focuses on resuming operations after a ransomware incident. The Cyber Centre advises that an effective plan should identify the entity’s critical information (e.g. financial records, proprietary assets, etc.), their most essential systems that are required for business continuity, and their most vital business functions. Once a plan is formulated, multiple trial runs should be conducted to determine potential areas for improvement.
More Options
In addition to the above ransomware-specific guidance, the Cybersecure Canada program may offer insight for organizations looking to improve their cybersecurity foundation. This program is mainly aimed at small and medium-sized businesses, but welcomes enrolment from all organizations in Canada. As part of the program, businesses are required to adopt measures in certain baseline security control areas that reflect industry-accepted best practices and target key considerations for the organization’s systems and employees. Furthermore, implementing these controls has the added benefit of fulfilling prerequisites for the Government of Canada’s CyberSecure Canada certification. The certification is valid for two years and can be displayed at the organization’s physical location and on its website to let others know that their business has met the standard.
CYBER INSURANCE
When preparing for ransomware attacks, organizations may want to consider how they would fund response efforts in the event that a threat actor manages to get through their defences. Though a business is already insured, traditional insurance policies may provide limited or no coverage for cyber attacks. Reviewing one’s current insurance policy and acquiring adequate cyber coverage where it is lacking is a crucial step that should not be left out of any discussion on ransomware preparation.
MOVING FORWARD
In our current technological landscape, ransomware attacks and other cyber security incidents have unfortunately become a daily reality of doing business in Canada and around the world. In light of the rising threat, organizations are encouraged to approach the matter with equal tenacity. By taking the appropriate proactive measures, we can better safeguard our activities and mitigate the impact of ransomware attacks on our businesses.