What is ransomware? 
Ransomware is a form of malicious software (malware) that installs itself on an electronic device or system, including smartphones, tablets and computers, and encrypts the entire hard drive, or specific files, and then demands a ransom be paid before the information is decrypted. Ransomware may also encrypt files that are located on network drives mapped to an infected device or system. More importantly, attackers may access information stored on a device or system during the course of an attack. 

Ransomware typically spreads via “phishing”. This is when an email or text message is sent with an attachment or link containing malware. The malware is installed when the link or attachment is opened, or when offered software is installed. Ransomware on one device or system may spread to others through network vulnerabilities or additional phishing emails from compromised accounts. 

Ransomware is deployed by cyber criminal groups in the hope they can extort money, because it has proven relatively easy and very lucrative. Consequently, an ecosystem around the development and delivery of ransomware and the extortion of money has developed. Different groups may play different roles and be financed by other groups who in return receive a part of the earnings. These cybercriminal groups usually reside in safe harbour countries that do not prosecute these groups as long as they do not target domestic organizations. Accordingly, national law enforcement can do little to effectively stop or deter the attacks.

Recent developments
For years now, ransomware attacks against Canadian organizations have been increasing. It has recently become the number one threat against organizations’ assets, including personal information and personal health information. (*1) 

Variations of ransomware exist to attack most operating systems, including Windows, Linux, Android and iOS (Apple). Publicized ransomware attacks have occurred in Canada, including at hospitals, universities, businesses and on thousands of personal devices. In November 2019, Nunavut’s territorial government computer infrastructure was crippled by ransomware. In January 2020, Saskatchewan’s eHealth system had some of its files encrypted by ransomware. 

(*1) https://www.itworldcanada.com/article/ransomware-the-top-attack-type-in-canada-last-year-ibm-report/442909

A word of warning for governments and organizations 

There are typically two strategies that cyber criminals use for ransomware attacks. The first strategy is quantitative, putting out as many phishing emails and phishing links as possible, for example on social media, without discriminating amongst targets. Organizations that have limited security controls in place to defend against such attacks are likely to fall victim to this. The second strategy is more targeted. In these cases, the attackers have a specific interest in attacking a certain organization and they actively seek to gain access to this network by using, for example, credential stuffing attacks (*2) and targeted phishing campaigns (spear phishing), or by exploiting network vulnerabilities. Organizations targeted in this way include those known to hold valuable personal (health) information, such as healthcare organizations, governments or other organizations. When any organization is infected by an attack under the first strategy, it indicates to an attacker that the organization is vulnerable and is considered to be ‘low hanging fruit.’ An attacker who discovers low hanging fruit will in some cases target similar organizations in anticipation of similar vulnerabilities, such as appeared to occur in 2018 and 2019 when numerous municipalities were subjected to ransomware attacks. (*3) 

Ransomware attacks evolve. Until recently, it was common for attackers to encrypt information on a system and demand a ransom to decrypt the information, with the threat of destruction in a specified timeframe. Increasingly, attackers not only encrypt information on a system, but they also steal information that is of interest to them. (*4) It is important to note that personal health information (PHI) is more valuable to attackers than credit card information, because it trades for higher prices on the dark web.(*5) Credit card numbers can easily be replaced, whereas PHI is inherent to a person and for the most part cannot be replaced. 

Other variations include breaching a database, stealing the information and holding it ransom (*6), and ransomware attacks against cloud service providers. (*7) 

(*2) https://www.owasp.org/index.php/Credential_stuffing
(*3) https://hicksmorley.com/2019/10/09/municipalities-are-under-threat-of-ransomware-attacks-are-you-prepared
(*4) See https://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data and https://www.us-cert.gov/ncas/alerts/TA16-091A for examples.
(*5) https://www.reuters.com/article/us-cybersecurity-hospitals/your-medical-record-is-worth-more-to-hackers-than-your-creditcard-idUSKCN0HJ21I20140924
(*6) Although not technically a ransomware attack, as no encryption techniques are used, many characteristics (motive, most exploitation techniques, consequences) are the same as with a conventional ransomware attack.
(*7) https://www.zdnet.com/article/cloud-based-virtual-desktop-provider-hit-by-ransomware/

Advice for users of personal and business devices 

Ransomware can hit both your personal devices and company-issued devices. Often, a ransomware attack results in a privacy breach. As the intruders access the information stored in a system to encrypt it for ransom, they often also scan for valuable data which commands a high price on the dark web. This may be personal information, financial information such as credit card details, usernames, email addresses and passwords to log into financial services or credit card linked accounts (*8), and, as noted above, personal health information. If your business device has been compromised by ransomware, it is safe to assume it has also disclosed any information stored on it, unless your IT department can prove that no data was extracted from the network or local disk. If a personal device has been encrypted by ransomware, it is advisable to preventatively change any passwords you might have stored on that device (for example, online banking, webmail or e-commerce website passwords stored in your browser). 

(*8) E.g., Amazon, iTunes etc. Any service that stores credit card information and enables you to purchase goods or services.

To prevent a ransomware attack from occurring

• Make sure you follow training provided on information security practices, so that you are aware of how to prevent your computer from becoming infected. If your workplace does not provide training, read up on it online and educate yourself. (*9)
• Know how to recognize a phishing email. Do not open links or attachments from unverified sources.
• Avoid links to log-in portals or software via advertisements on social media or websites. They might re-direct you to a fake website, owned and operated by cyber criminals.
• Avoid pirated software and offers for ‘free’ viewers for movies or series. Both are known carriers of ransomware (and other malware).
• Verify and bookmark in your browser all websites that require you to log in. Use only these verified links to provide credentials to a website. This practice helps protect you from accidentally entering credentials on a fake login page via a malicious link in your email or in search results.
• Do not install software on your corporate devices and do not add plug-ins to your browsers on your corporate devices. These actions should be blocked by your IT department. Ask IT to install any software or plug-ins for you and ask if IT has verified that these software or plug-ins comply with security and privacy policies. For your personal device, only install software and plug-ins from official sources and stick to software developers with a good reputation. Do research on the software before you install it (*10), especially for devices using Android (*11)
• Do not put media, such as USB sticks, from unverified sources (provided by someone from outside your organization or found around the office) into your devices. If necessary, ask IT to open USB sticks in a sandboxed (*12) environment. 

(*9) Good free training in the form of a quiz is offered on https://www.isdecisions.com/user-security-awareness
(*10) https://www.gnu.org/proprietary/proprietary-back-doors.html
(*11) https://forensics.spreitzenbarth.de/android-malware
(*12) A sandboxed environment separates the USB stick from the rest of the system, negating the risk of infection through the USB stick. A properly configured virtual machine or live CD may function as a sandbox. Also see https://geekswipe.net/technology/computing/how-to-safely-open-untrusted-usb

To control damage after an attack has occurred

•  Immediately disconnect your device from the network (Wi-Fi and/or LAN cable), disconnect Bluetooth and attached devices such as USBs, phones and external hard disks. If done in a timely way, this may contain the spread.
• Report the incident to your IT department as soon as possible. 

Advice for management

• To prevent ransomware outbreaks from happening, the management team should champion a workplace culture that encourages awareness of information security and privacy risks and that gives clear priority to attending relevant training, taking part in practice routines and obtaining education in these fields. This is a part of corporate due diligence. Neglect is very likely to cost the organization in the long run, either in money from lawsuits, damage to IT assets, damage through disruption of business processes or damage to reputation. In the case of a successful ransomware attack, all four types of costs are distinct possibilities.
• With the help of your IT staff, perform a risk assessment regarding the risk and impact of a ransomware attack. An assessment like this can be part of a broader risk management program for your organization. (*13) Doing a risk assessment will turn unknown into known risks, inform you of your legal obligations, potential damages from incidents and costs of mitigations to prevent the risk from materializing. 
• Ask if IT staff are making sure the recommended measures below (see Advice for IT departments below) are implemented. If they do not implement certain measures, make sure you know why, what the risks are and that you are willing to accept these risks. Document the risks, their mitigation or acceptance, as proof of due diligence.
• Make sure all personnel, including IT and management, are educated regarding their organizational role in the case of ransomware attacks and privacy/security breaches in general. Empower IT to provide the required technical training to all employees and management.
• Know when a security incident also constitutes a privacy breach, and when a risk of significant harm (ROSH) to individuals exists as a result of the breach. A ROSH will be found to exist if there is a possibility that a breach may result in any kind of harm that qualifies as significant, including ‘bodily harm, personal humiliation, reputational or relationship damage, loss of employment, business or professional opportunities, financial loss, negative effects on a credit rating, or damage to or loss of property’, or any other similar type of harm (e.g., identity theft or fraud).
  •  Health care custodians and public bodies must consider if the intrusion presents a ROSH. If it does, under the Yukon’s Health Information Privacy and Management Act (HIPMA) and the Yukon’s Access to Information and Protection of Privacy Act (ATIPPA), the custodian or public body, as applicable, must notify the individuals affected about the breach. They must also notify the Office of the Yukon Information and Privacy Commissioner (IPC).
  • Businesses may need to report a privacy breach to the Office of the Privacy Commissioner of Canada.(*14)
  • If hit by ransomware, it is not recommended to pay the ransom. Apart from financing and thereby encouraging cybercrime, payment of the ransom could be an offence under the federal Special Economic Measures Act. (*15)

(*13) https://csrc.nist.gov/projects/risk-management
(*14) https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/
(*15) https://www.canadianlawyermag.com/practice-areas/privacy-and-data/ransomware-attacks-have-seen-dramatic-increase-saylawyers/357700

Advice for IT departments

• Train the entire organization from top to bottom regarding the roles and responsibilities of employees in case of a ransomware outbreak.
  • Management should champion information security and privacy in general and give clear priority to employees attending training.
    • The requirement for employee training should be in policy and made mandatory.
    • The training should be designed to ensure that employees are informed about the risks to the organization associated with ransomware and the measures employed by the organization to mitigate the risks.
    • The training should include information about phishing, secure web usage, etc. to prevent ransomware outbreaks, and adequate response if an outbreak occurs (i.e., disconnecting, reporting immediately).
  • Users, as the first line of defense against ransomware threats, should be trained routinely on how to prevent falling victim to a ransomware attack.
• Ensure a ransomware incident response plan is in place and train multiple employees on the plan to facilitate an adequate response in case of an outbreak. Practice the plan periodically, especially when there are new employees. See the Further reading section below for ideas for the response plan.
• Ensure there is a patch management policy and audit its effectiveness with the help of tools such as vulnerability scanners.
• If you are using a cloud service provider, make sure it has adequate protection against ransomware attacks.
• Whitelist software applications that need to run on machines. Disallow users from installing software, even under user privileges, and from installing plug-ins. For example, Flash is a known ransomware vector.
• Give front-line employees (for example, those providing intake, customer service and reception services) a sandboxed environment for opening email and files from file transfer services that they receive via the internet. Train these employees on verifying the safety of the download before taking it out of the isolated environment or have a control in place that keeps the attachments in the isolated environment.
• Back up your systems and make sure your backup systems are sufficiently isolated, so that they do not get hit by the same ransomware attack for which they are a recovery control. Test the “restore” functionality of backups periodically to have assurance that you can use them when needed.
• In addition to a firewall, use email filters, IDS/IPS and endpoint protection. Consider using specific ransomware detection and prevention products or endpoint protection that incorporates this functionality.
• Have some form of network access control in place. Restrict by policy and via technical controls what devices connect to your network as they may be carriers or vectors for ransomware if not properly onboarded according to the organization’s standards.
• Avoid using administrator accounts for general use on a device. Administrator accounts that are exploited by ransomware cause a wider spread of the infection.
• Disable SMB v1 (as much as possible). This helps prevent some ransomware strains from spreading within your network. It is also highly recommended to block all outgoing SMB traffic from leaving your internal network, as this can indirectly result in ransomware attacks (for example, via SMB credential harvesting attacks). (*16) 

(*16) https://www.syxsense.com/server-message-block

Obligations of organizations regarding compliance with privacy legislation and regulations 

The Yukon's privacy laws, ATIPPA and HIPMA, require reasonable steps to be taken by public bodies and health care custodians to protect against the risks to personal information or personal health information caused by a ransomware attack. Because ransomware attacks result in the loss of and/or unauthorized access to information and potentially its integrity, adequate protection is a mandatory requirement under both Acts. If a privacy breach does occur, public bodies and custodians can contact the Office of the Yukon’s Information and Privacy Commissioner (IPC) for guidance on handling the privacy breach. 

Businesses that are not health care custodians are not subject to the Yukon's privacy laws and need to comply with mandatory breach reporting requirements under the federal Personal Information Protection and Electronic Documents Act. They must contact the Privacy Commissioner of Canada's Office if personal information is involved in a breach and a real risk of significant harm exists to those affected by the breach. (*17)

(*17) https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/

 Further reading

• https://www.wired.com/2016/05/4-ways-protect-ransomware-youre-target/
• https://www.nomoreransom.org 
• https://www.gov.scot/publications/cyber-resilience-public-sector-toolkit/

An example of an incident response plan for medium to large organizations: 

• https://www.gov.scot/binaries/content/documents/govscot/publications/ad…- %2Bransomware%2Bplaybook.pdf

Please note

This document was updated and issued in October of 2021 as an informative advisory intended to assist in understanding ransomware attacks and how to manage associated risks, in the context of the Yukon’s two privacy laws, the Access to Information and Protection of Privacy Act (ATIPPA) and the Health Information Privacy and Management Act (HIPMA). This document is not intended as, nor is it a substitute for, legal advice. For the exact wording and interpretation of ATIPPA and HIPMA, please read the Acts and regulations in their entirety. This document is not binding on the Yukon Information and Privacy Commissioner.