Ransomware hits city computers
Infection locks computer files and demands payment to restore them
Shane Magee
Northern News Services
Friday, March 11, 2016
SOMBA K'E/YELLOWKNIFE
Computers in the city have recently been hit with ransomware, an infection that digitally locks files and demands a payment to unlock them.
Andrew Cunningham, a network consultant with Gray Jay Enterprises, said he has had several of his clients in the city impacted, including the Yellowknifer office.
"It's been such a huge money maker that even more and more people are starting to use it," he said Wednesday about the extortionary technology.
About half a dozen of his clients across the territory have had computers infected, the first around three years ago, he said. Some have been individuals while others are organizations or businesses.
Cunningham said most ransomware attempts come through e-mails, although he is aware of instances where someone has clicked links on social media that have asked the computer user to download and install something to watch a video.
It's not clear if the attacks that have happened in this region are targeted, he said.
Cunningham said if someone believes they've been infected, they should immediately turn their computer off and contact IT support.
According to McAfee, a company that makes computer protection software, the "locky" ransomware that hit Northern News Services is on a "rampage" and has infected many computers in a short time via a large e-mail spam campaign.
The "locky" ransomware was first detected Feb. 16, according to a post on Pointproof, a company that sells digital protection services.
"A lot of the time the ransom is demanded in Bitcoins so that means it's an anonymous and untraceable currency," Cunningham said. Bitcoin is a new digital currency.
"By paying, you never know if you're going to get asked for more, so it can be dangerous," he said, adding he doesn't know of anyone who has paid. Most clients have restored their data using file backups.
American media reports say a hospital in California paid $16,900 US in ransom to restore its patient files after being compromised.
The infection at Yellowknifer began Tuesday morning when a staff member opened an e-mail with a subject line that referred to an electricity invoice.
In this case, the message appeared to be from a company e-mail account, said Sean Crowell, assistant general manager.
A zipped file was attached. Zipped files have been compressed to be a smaller size. When the attached file was opened, it installed the ransomware. It began encrypting, or digitally locking, files.
"It was encrypting hundreds of files a second," Crowell said.
It worked its way through the company's shared computer file network.
Files were locked and the names were changed for items such as news stories and photos into gibberish file names consisting of random numbers and letters with the file extension "locky."
In file folders impacted, a ransom note was left that had instructions on how to provide money to unlock the files. Crowell doesn't recall how much the note asked for in payment.
The company did not pay. Crowell said once it was realized what was happening, the company's computer network was shut down which stopped the ransomware from spreading further.
"Really we only lost an hour of work but it took us all day to get everything back up," he said Wednesday after the company's systems had been fully restored to normal.
Crowell said as a result, the company's spam filter has been changed to block zipped attachments.
Although it means people attempting to send legitimate files will have to provide them another way, he said the company "just can't take the chance."
Andrew Livingstone, a GNWT cabinet spokesperson, stated in an e-mail he's not aware of any department or agency impacted by ransomware similar to what hit Yellowknifer.
"The GNWT actively monitors for threats related to viruses, malware, ransomware and many other cyber threats," he wrote. "The GNWT takes its information security very seriously and our information technologies division work around the clock to maintain the government's security posture."
He wrote that the GNWT works with other jurisdictions with the help of Public Safety Canada to stay up-to-date on malicious activity online.
RCMP Const. Elenore Sturko said she couldn't find any previous reports to police of ransomware cases in the city.
She said fraud cases are investigated by local officers or could be referred to the RCMP federal investigations unit depending on the circumstances.
Cunningham reiterated that the best way to be protected from ransomware is to not open suspicious links or e-mails and to regularly back up computer files.