Resort Municipality of Whistler (RMOW) services remain offline with no timeline for bringing them back following a ransomware attack last week that could potentially impact thousands.
While the criminals claiming responsibility for the breach continue to post updates to the dark web, the RMOW noted the claims are unsubstantiated, and it does not yet have any evidence that any personal information was taken from its system.
“There is a very thorough investigative process underway, and we continue to work with forensic cyber security experts to understand what may have been accessed, and how that access may have happened,” said Gillian Robinson, the RMOW’s manager of communications, adding that the RCMP and Office of the Information and Privacy Commissioner for B.C. are also involved.
“As you can appreciate, we have several servers, and it’s a very exhaustive and time-consuming process to go through all of those. I can tell you that that work is underway 24 hours a day, and many people are working overtime to do that—we are treating it with the utmost urgency from our end.”
The RMOW held a closed meeting May 5, “to discuss the security of the property of the municipality, the receipt of advice that is subject to solicitor-client privilege, and discussions regarding the provision of a municipal service.”
While services including email, phones and the municipal website remain offline as a security measure, the RMOW has control over its servers and website and is focusing on business continuity for the community (something it has recent experience in due to COVID-19), Robinson said.
“Getting back online, we have to be 100-per-cent sure that [our systems] are secure before we can do so, and that just speaks to the thoroughness of the investigation that’s underway,” she said.
“It’s a dial to get things back up; it’s not a switch.”
The RMOW has set up a FAQ at whistler.ca, which it continues to update, and will post any new developments to the website as well.
The municipality also has cyber security insurance to protect from criminal activity such as this, Robinson said.
RMOW infrastructure such as water and sewage, and emergency systems such as 911 and the Whistler Fire Department have been secured and continue to operate as normal, while in-person service at municipal hall has been temporarily suspended.
Council meetings scheduled for Tuesday, May 4 were cancelled, and the RMOW is looking at May 18 for the next meeting.
The public can call 604-932-5535 from 8 a.m. to 4:30 p.m. Monday to Friday with any questions.
CYBER CRIMINALS POST THREATS TO DARK WEB
The community became aware of the attack when visitors to the RMOW’s website on April 27 were greeted with an ominous message left by the unidentified hackers.
“this is very fun … guys, if we do not talk now, you’ll have big troubles in future,” read the message.
“I have a lot of patches on your systems to gain access and you can’t restore your network from backups again. So talk in chat and i’ll stop this now. I’m waiting.”
The message included a link to download the Tor browser, which enables anonymous communication online, along with another link followed by more ominous words: “no way to run.”
The RMOW responded by taking all of its services offline as a precautionary measure.
In an update posted to the RMOW’s website on April 28, the municipality advised the public to be vigilant about phone calls or emails that appear to be coming from the RMOW, noting that it does not ask for private, personal information by phone or email.
The cyber criminals claiming responsibility for the attack, meanwhile, continued to post updates to the dark web (a part of the internet not visible to search engines, and accessed through an anonymous browser called Tor).
On April 30, the criminals claimed to have access to about 800 gigabytes of RMOW data.
“Whistler people personal information (names, addresses) sql databases, stats, huge email dumps, emails database, passwords, network scheme, services, private documents placed on darknet auction,” the post read.
“It will be sold in next 7 days. Follow to chat to bet. ~800gb of archive. Yum yum.”
Another post on May 2 suggested that the RMOW is not responding to the ransom threat.
“The Government of the Whistler does not want to protect citizens and guests from leak,” it read. “Well… they have less than 5 days … what will they do?”
Asked about the posts, Robinson deferred to the criminal investigation taking place.
“We have to recognize that the RMOW is a victim of a crime, and the possibility of theft of personal information is something we take very, very seriously,” she said.
“But as you can appreciate, we aren’t able to comment on any specific details while that investigation is underway.”
THOUSANDS COULD BE IMPACTED
Until a full forensic investigation is completed, there’s no way of knowing what the criminals actually have, said Brett Callow, threat analyst with Emsisoft, a cyber security company with a particular expertise in ransomware.
“These are criminal organizations. They don’t always tell the truth,” Callow said, adding that, because the cyber criminals’ systems are all scrambled, it’s not at all easy to work out what data was taken.
“It can require a forensic investigation that can take several weeks to complete, if they can work it out at all,” he said.
“And the criminals do attempt to use that uncertainty. There are cases where they will claim to have more data than they actually do. There are also, however, cases where they have exactly what they claim to have, so there really is no way of knowing.”
Data is stolen in about 70 per cent of ransomware attacks, Callow said.
As for the amount that could be being demanded, “it could be a lot,” he said.
“The highest amount on record to date, at least the highest amount to have become publicly known, is $50 million.”
While “it’s very hard to say” how local governments should respond to threats like this, “my personal feeling is that organizations should never pay,” Callow said.
“It doesn’t guarantee they will get their data back, it doesn’t guarantee that the criminals will not misuse whatever data was stolen, and of course it simply incentivizes the cyber crime.”
And while it’s still unclear how the hackers breached the RMOW servers, in about 50 per cent of cases, it is through email phishing scams, Callow said—instances where someone has inadvertently downloaded remote access software.
“That gives the criminals access to the network. They can then use various methods to move laterally throughout it; they elevate their privileges, they disable security products, they suck out the data, and then when they’re good and ready they finally encrypt the network,” he said.
“And that is the point at which the organization realizes it has a major problem. But of course by that point their data is already long gone.”
With the technology and tactics constantly evolving, safeguarding against cyber crime is “a constant and ongoing game of Whack-a-Mole,” Callow added.
While the extent of the breach is still unknown, Whistlerites—and indeed any business or organization that has an account with the RMOW— should “work on the assumption that the cyber criminals now have whatever information the municipality held about me,” Callow said.
“That may not be the case, but it is best to be safe [rather] than sorry.”
A report published recently by Emsisoft estimates that the average ransomware demand grew by more than 80 per cent globally in 2020, with a minimum of $18 billion paid in ransoms.
In Canada, there were 4,257 reports of ransomware demands, with a minimum cost of about $165 million.
“The data that ends up being posted online in these cases can be extremely sensitive. We have seen information relating to alleged cases of child abuse, for example, be posted online, [and] medical reports about those children, when social services departments and/or healthcare providers have been hit,” Callow said.
“And that’s really terrible. If your financial information leaks, at least you can eventually fix your credit. When extremely sensitive personal information like that leaks, once it’s out there, it’s out there. There’s nothing you can do about it at all.”
PUBLIC ADVISED TO REMAIN VIGILANT
In the days following the attack, several Whistlerites reported receiving strange calls from people claiming to represent the RMOW.
Leah Howard said she received a call from a man speaking very quickly and mumbling his words.
When the man asked her how many people live in her house, and how old they are, the red flag was raised for Howard.
“I just said I don’t feel comfortable responding to this phone call … he mumbled again, and then he just hung up the phone,” Howard said.
While Howard said she’s received calls about the RMOW’s Community Life Survey (CLS) in previous years, those calls were always clearly identified, and in this case the caller seemed “kind of aggressive” (this year’s CLS ended on April 19).
The ransomware attack on the RMOW is “kind of unsettling, obviously, because we live in such a small community,” Howard said, adding that one of her first thoughts after hearing the news was for Whistler’s elderly citizens, who may be more susceptible to scammers.
“There’s unfortunately so many scams out there these days,” she said.
Calls like the one Howard received are quite common after attacks such as this, as some criminals use the information they have to make their phishing campaigns more successful, said Derek Manky, chief of security insights and global threat alliances at Fortinet’s FortiGuard Labs in Burnaby.
“It’s called spear-phishing, which is a targeted phishing attack,” he said.
“A lot of these organizations, they’re not just purely running on the ransom card, right? They have other ways they can try to monetize their attacks, so using information against victims through phishing attacks is a big way to do that.”
The criminals are potentially attempting to “regionalize” what information they have, and the initial question posed to Howard was likely a red herring, Manky said.
“At the end of the day, what they’re trying to do is get through to the end users, and at some point in time there has to be an exfiltration,” he said.
“So oftentimes they’re looking for some sort of way to open the user up, and then get information out.”
Most attackers are looking to get credit card information, but in some cases the end goal is gathering enough personal identifiable information to commit identity theft—often used to open up bank accounts or to launder money.
With more than 100 billion attacks happening every day worldwide, “it’s not a matter of if, but when,” Manky added. “The cyber criminals, they really don’t sleep, collectively, and so you always have to be on guard.”
If you receive a suspicious call or text, always verify that you can call them back, Manky said, adding that you should not return the call to the number that tried calling you, but call your bank or the affected organization directly.
People should also practise good “cyber hygiene” by avoiding unsecured WiFi networks, Manky said.
Businesses should ensure they have proper backups for their data, and practise network segmentation so that if one channel is compromised, it doesn’t provide the hackers access to the entire network.
As it relates to opening email attachments and clicking on links, adopt a “zero-trust mentality,” Manky said, noting that things like digital certificates or online signatures can be used to verify data.