Ransomware is hitting governments hard. Besides the event that Prince Edward Island experienced, the Canadian territory of Nunavut also experienced a ransomware attack in November of 2019 that crippled systems within that entire government.
Ransomware is a type of Malware that, when introduced to a system, can lock the user out of local system files. The ransomware enumerates through the directories on a victim’s computer to build a file hierarchy of the device. Once a list of files is built, the ransomware uses Windows own cryptography API to encrypt the files (in most cases). The encryption keys are then sent back to the attacker for long-term storage and where you can’t access them.
Earlier iterations of many ransomware strains focused on spread and relied on quantity of infections to drive a successful campaign. This was the case with Wannacry and NotPetya whereby the intent was to cripple the victim into paying the ransom. Newer ransomware is using a level of human control that amounts to an attacker silently having control of a victim network prior to the attacker locking out the system files. What this has allowed is for the attacker to ex-filtrate data from the victim’s system. So not only is the victim locked out of their files, but the attacker also has a copy of any number of those same files to hold over you.
Paying the ransom is not the answer to ransomware. Paying the ransom only perpetuates the effectiveness of ransomware and conditions the attackers to continue the attacks. Ransomware has become big business for these attackers. Unfortunately, the obvious result of not paying the ransom is that your files will likely be released to wider audiences. Prevention should be the number one focus, but having strong incident response and business continuity/disaster recovery plans that include an approved and well structure communications plan is also essential.
Regardless of whether you pay the ransom or not, it should be assumed that the data will eventually be released. Without consignment it’s simply impossible to know otherwise.
The P.E.I. Ransomware
The Prince Edward Island government was impacted by a ransomware called Maze. Maze has been attributed to Threat Actor 2101, or simply TA2101, by Proofpoint. This ransomware is notable for its use of publishing ex-filtrated files to the internet via their website if victims don’t pay instead of selling the data on dark web forums.
In addition, threat actors can use this trove of data to phish other businesses, which should definitely be a big concern for P.E.I. businesses.
2020-02-23 — The government reported a 90-minute ransomware incident before it was contained. At that time the province did not believe that any Islanders’ personal information had been affected.
2020-03-03 — Government documents began showing up online when approximately 800MB (uncompressed) of data showed up on Internet. According to the Maze ransomware website, they have approximately 200GB of archives.
The inevitability of the release of the rest of the files can’t prevent recovery, which will almost certainly involve a hard look at the information security of the province. A forensics audit will need to take place in order to determine the extent of files that may have been accessed. Communications will then need to take place to any impacted individuals and businesses so that they may take appropriate actions, if deemed necessary.
A recent article by Forbes stated that the average cost of a ransomware incident has skyrocketed to over $84,000. This is likely on the low-end as most incidents go unreported and there is no clear measurement baseline for what ransomware incident costs should include. The ransomware attack on the City of Atlanta could have cost tax-payers an estimated $17 million dollars, but I wasn’t able to find any exact numbers. It’s not infeasible to suggest that this incident may cost the P.E.I. government over $1 million dollars when all is said and done.