A photo illustration made December 14, 2012 in Montreal shows a computer in chains. (File photo by THE CANADIAN PRESS)

Locked-up computer systems only part of ‘terrifying’ ransomware scourge

Experts say NetWalker surfaced about a year ago

TORONTO — A shadowy group of cyber criminals that attacked a prominent nursing organization and Canadian Tire store has successfully targeted other companies with clients in governments, health care, insurance and other sectors.

Posts on their NetWalker “blog” indicate the recent infiltration of cloud-services company Accreon and document company Xpertdoc, although only the College of Nurses of Ontario has publicly acknowledged being victimized.

Experts say NetWalker surfaced about a year ago but its attacks took off in March as the criminals exploited fears of COVID and people working remotely. The ransomware, like similar malware, often infiltrates computer networks via phishing emails. Such messages masquerade as genuine, prompting users to provide log-in information or inadvertently download malware.

Earlier ransomware attacks focused on encrypting a target’s files — putting them and even backups out of reach. Increasingly, attackers also threaten to publish data stolen during their “dwell time,” the days or weeks spent inside an exploited network before encryption and detection.

The intruders promise to provide a decryption key and to destroy stolen records if the organization pays a ransom, often based on what the attackers have learned about its finances, by a given deadline.

To underscore the extortion, NetWalker criminals publish tantalizing screen shots of information they have, such as personnel, financial, legal and health records.

“The data in these cases is extremely sensitive,” said Brett Callow, a Vancouver Island-based threat analyst with cyber-security firm, Emsisoft. “Lots of companies choose not to disclose these incidents, so the individuals and (third-party) organizations whose data have been compromised never find out.”

In an interview, Richard Brossoit, CEO of Montreal-based Xpertdoc, said this month’s attack was a “little terrifying” at first. Fortunately, he said, damage was limited and no confidential client or personal information was compromised, although some records might be permanently lost.

“Once we were able to isolate the problem and knew it was minimal — that our customers weren’t really affected at all — obviously it was a very big relief,” Brossoit said.

With new computers, his several dozen employees were back up and running within days, he said. Still, Xpertdoc did hire specialists to deal with the cyber-criminals.

“We were able to negotiate a very low ransom,” Brossoit said. “They didn’t ask too much and we were able to actually negotiate much lower than what they were asking.”

Morneau Shapell, one of dozens of potential third-party victims, said it accepted Xpertdoc’s assurances no sensitive information had been compromised.

Accreon, which has until the first weekend in October to pay up, would not discuss its situation.

NetWalker did recently publish gigabytes of internal data from a Canadian Tire store in Kelowna, B.C. In response to a query, Canadian Tire Corporation said store computers were hit and authorities were investigating.

“This incident has not affected the Canadian Tire Corporation computer networks that process customer information or purchases,” the company said, adding store employees were told their personal information had been compromised.

The nurses’ college, which angered members by taking more than a week to publicly admit the attack discovered Sept. 8, did say it was getting back on its feet, although some services remained down.

“We share our members’ distress and frustration that this has happened,” college CEO Anne Coghlan said in a statement. “Members can rest assured that we will notify them directly if we identify any risk to individuals.”

The consequences of ransomware can go beyond the financial and reputational. This month, for example, a hospital in Duesseldorf, Germany, was unable to admit a patient for urgent treatment after an apparent cyber-attack crippled its IT system, authorities said. The woman died.

Such attacks have become increasingly frequent. Earlier victims in Canada include municipalities — among them Stratford and Wasaga Beach in Ontario and the Regional District of Okanagan-Similkameen in B.C. — health-care organizations and charities. Cloud storage companies, with troves of third-party data, have also become attractive targets.

This year, the University of California San Francisco paid US$1.14 million to regain access to its data. The encrypted information, the school said, was “important to some of the academic work we pursue as a university serving the public good.”

Just how often victims pay — and how much — is hard to know. One analysis by New Zealand-based Emsisoft, using available data, estimates ransomware losses for Canadian enterprises could run up to US$1.7 billion this year.

“It’s really difficult to get accurate statistics,” said David Masson, a director with cyber-security company Darktrace. “Those who pay won’t be telling you. If you do pay, you’re probably going to be attacked again because very quickly…you’re going to get a reputation that you paid.”

Those behind NetWalker appear to be Russian speaking. They provide the malware for a cut to “affiliates,” who promise not to attack Russian or Russia-friendly targets.

“Their attacks are becoming increasingly sophisticated,” Callow said. “These groups are using the exact same tools as nation-state actors. In some cases, they may actually be nation-state actors.”

Experts say up-to-date anti-virus software, segmenting networks and keeping separate backups are among critical protective measures. In addition, Masson said knowing what is going on within a network is crucial, while Brossoit advised hiring specialists should an attack happen.

This report by The Canadian Press was first published on Sept. 27, 2020.

Computers and Electronicscrime

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Award-winning Calgary developer Brad Remington stands with Red Deer Mayor Tara Veer at the site of three multi-family condo complexes that are planned for Capstone, west of Carnival Cinemas. (Photo by LANA MICHELIn/Advocate staff).
Red Deer’s Capstone development to kick off with $36 million condo project

Calgary developer plans to create 180 housing units to open in 2022

Forward Quinton Byfield shoots the puck during practice at the team Canada world juniors selection camp in Oakville, Ont., on Tuesday, December 10, 2019. THE CANADIAN PRESS/Nathan Denette
Canada’s world junior training camp coming to Red Deer

Camp will take place from Nov 16 to Dec. 13 but will be closed to the public

Alberta Teachers’ Association president Jason Schilling. (Twitter photo from ATA)
Alberta teachers already exhausted and it’s only October

Alberta Teachers’ Association regularly surveying teachers

Prime Minister Justin Trudeau responds to a question during a news conference Friday October 9, 2020 in Ottawa. Prime Minister Justin Trudeau will be joining European Union leaders for a virtual summit, where they are expected to discuss their shared commitment to international co-operation and what that means ahead of Tuesday’s U.S presidential election. THE CANADIAN PRESS/Adrian Wyld
Trudeau, EU leaders meet ahead of U.S. election to reinforce support of world order

Trudeau speaking with the European Union’s two top political leaders

Alice Kolisnyk, deputy director of the Red Deer Food Bank, says the agency expects an increase in demand as the COVID-19 pandemic continues. Every new subscription to the Red Deer Advocate includes a $50 donation to the food bank. (Photo by BYRON HACKETT/Advocate Staff)
Support the food bank with a subscription to the Red Deer Advocate

The community’s most vulnerable members are always in need of a hand,… Continue reading

Grade 3 and 4 students from St. Marguerite Bourgeoys Catholic School in Innisfail spent time this week honouring Canadian veterans. (Photo courtesy of Red Deer Catholic Regional Schools)
Innisfail students lay poppies to honour veterans

Grade 3 and 4 students from St. Marguerite Bourgeoys Catholic School in… Continue reading

Pilots Ilona Carter and Jim Gray of iRecover Treatment Centres, in front of his company’s aircraft, based at Ponoka’s airport. (Perry Wilson/Submitted)
95-year-old Ilona Carter flies again

Takes to the skies over Ponoka

If you have a letter you'd like to submit to the editor for consideration, please email us at editor@mapleridgenews.com. Look forward to hearing your thoughts. 
Two readers express different views on hospital worker walkout

Union members deserve more respect Re: “Yes, we know how to do… Continue reading

Email letters to editor@interior-news.com
Gift of groceries leaves couple ‘speechless’

Red Deer has got to be the No. 1 place in Alberta.… Continue reading

Children’s backpacks and shoes are seen at a daycare in Langley, B.C., on Tuesday May 29, 2018. Alberta Children’s Services Minister Rebecca Schulz says the province plans to bring in a new way of licensing and monitoring child-care facilities. THE CANADIAN PRESS/Darryl Dyck
Alberta proposes legislation to change rules on child-care spaces

Record-keeping, traditionally done on paper, would be allowed digitally

Matt Berger is shown skateboarding in Huntington Beach California in this July 10, 2020 handout photo. THE CANADIAN PRESS/HO - Monster Energy, Joey Shigeo Muellner
Canadian skateboarder Matt Berger awaits his sport’s Olympic debut

Berger ranked No. 1 in Canada and 17th in the world

Most Read