In wake of ransomware attacks on the District of Squamish’s computer servers, IT experts are suggesting the municipality stay wary until a forensic analysis shows the full extent of the malware’s effects.
The message arrives after the District said there is no evidence personal information was compromised.
A forensic analysis that would show how it all happened is still ongoing and could take some time.
On Feb. 27, the District was hit by a ransomware attack. This malware allows hackers to infiltrate a computer, encrypt its files and demand payment to decrypt them.
Probably the most famous example of these was the WannaCry virus that paralyzed hospitals in England and Scotland in 2017.
This is not the first time such an attack has hit Squamish’s municipal hall. A ransomware virus had also affected the District last year.
‘This is not going to go away’
On March 3, the municipality announced that to improve protection for its computers, it would hire an IT security staffer and fast-track a move to cloud-based server hosting with virus protection and backups built-in.
A District spokesperson said the municipality hasn’t yet figured out that staffer’s pay, but a draft of the 2020 budget presented in December proposed to set aside $94,600 for the position.
However, UBC professor Hasan Cavusoglu says that having one only person in a dedicated security role likely won’t be enough to protect against future attacks.
“This is not going to go away,” said Cavusoglu. “It’s going to get even more complicated.”
He recommended a cloud server, which the District is doing, but cautioned that while upgrades are helpful, a one-time initiative may not be enough, he said. Tactics and types of software used in ransomware attacks are rapidly evolving.
“The leaders of...organizations should understand this is not a one-time solution,” said Cavusoglu.
“It’s a good step but just one step you should continue building on.”
In response, District staff agreed that one person can not be responsible for cybersecurity at municipal hall.
“Security will not just be one person’s job and, should our new hire require external assistance, then that would be presented to council for consideration,” District staff said in an emailed statement.
“The focus on security requires a multi-faceted approach and involves the entire organization. Specifically, it has been a priority for the Information Technology department in recent years with ongoing security upgrades and improvements implemented. A major piece in preventing attacks is end-user cybersecurity training, which will be provided to staff in more depth in the coming weeks.”
Cavusoglu acknowledged that it can be difficult for a smaller municipality like Squamish to sink in the extensive amounts of money needed to ward off sophisticated hacker attacks.
He also said it may be too soon to say if personal data wasn’t compromised, if the forensic analysis hasn’t been completed.
If the attack was a standard ransomware attack, it’s likely that personal data may not have been compromised, as those attacks usually just encrypt users’ files and demand payment for decryption.
However, ransomware attacks are evolving and can be more complicated.
On March 9, District of Squamish staff told The Chief that the municipality has engaged cybersecurity professionals to help investigate the attack and look into exactly what, if anything, was compromised.
Threat analyst’s perspective
Brett Callow, a threat analyst at Emsisoft, said that there’ve been cases where governments have initially declared that personal data was not compromised, only to realize later that the data was posted online.
“Starting at the tail end of last year, multiple groups began stealing the data prior to encrypting it, and if the victim doesn’t pay, they publish the data online,” said Callow.
For example, the government of Prince Edward Island announced on Feb. 25 that it was subject to a malware attack.
“Based on our investigation, there is currently no reason to believe that Islanders’ personal information has been affected by the malware,” read a statement the province posted online.
However, days later, the PEI Guardian reported that a hacking group publicly posted internal documents from the provincial government that included bank statements, payment details, SIN numbers and contact information.
Earlier this year, Saskatchewan’s main service provider of health information was subject to a ransomware attack as well. While initial reports said the attack was contained, the CBC later reported that files were being sent to suspicious IP addresses.
Callow says the effects of ransomware attacks don’t immediately happen after someone clicks on a phishing email. Instead, it will install malware that will give actors remote access to the network.
In some cases, he says, hackers infiltrate servers about a week before the ransomware is deployed, copying files that they plan to hold hostage.
After they’ve copied enough data, they’ll then deploy the ransomware.
He said ransomware attacks usually result from either phishing or improperly secured remote access networks for employees.
If an attack occurred on his servers, Callow said, he’d err on the side of caution and set up credit monitoring if there’s a possibility that names, addresses and social insurance numbers have been compromised. “To my mind, these incidents should now be regarded as data breaches, until they prove not to be,” said Callow.
“It could be several weeks before they find out that has happened. And, of course, then it takes a couple of weeks to open up a credit card in somebody’s name.”