Nunavut reels after ‘ransomware’ attack knocks out government services

Open this photo in gallery:

A “ransomware” attack that knocked out government services in Nunavut this week should serve as a wake-up call about a threat faced by small governments, observers say.

The consequences of the attack, perpetrated by a group of unknown hackers, are rippling through the northern territory, affecting 38,000 people spread out across a land mass the size of Mexico.

Makeshift food vouchers are circulating in lieu of income-support payments. Schools are without internet access. Telehealth medical appointments are being cancelled. And no one can say when government services will be fully restored.

Experts say that such outcomes are increasingly the point. Ransomware doesn’t steal or destroy data, but encrypts it. The records remain scrambled until they are unlocked with a cryptographic key.

But the key is held by the hackers who deployed the malware, and who count on panicked targets’ willingness to pay. The ransoms are demanded in cryptocurrency transactions that cannot be traced by authorities.

Officials in Nunavut say they have no plans to pay off anyone, because they backed up their data in systems that they are now − very cautiously – booting up. “We have multitiered backups, using different technologies,” said Dean Wells, the territory’s chief information officer.

Such malware is making millions for its creators as they shake down corporations and civil services around the world, said Adam Meyers, vice-president of intelligence at California-based CrowdStrike. The company earlier this year publicly identified the specific ransomware – “Doppelpaymer” – that is now affecting Nunavut.

The hackers “look for organizations and targets that have some sort of critical need to be up and running –that’s how they can up the pressure to pay the ransom," Mr. Meyers said.

Hackers are increasingly targeting institutions, and not individuals, he said. "Large corporations, state governments, local governments and school districts, they have all got operating capital and have a lot more than 300 or 400 bucks on them.”

After the attack was launched on Nunavut this past weekend, one of its most immediate effects was to block government payments from being deposited into bank accounts. The territorial government says that 14,000 of its 38,000 residents are on some form of income support.

Food vouchers were printed by the government as a stopgap, but that rollout was delayed in some places. For example, in the Belcher Islands hamlet of Sanikiluaq, officials had to devise different kinds of chits that could be cashed in for groceries. “They’ve actually worked out a deal with the local stores ... and I understand they’re also using the fax machine,” Nunavut MLA Allan Rumbolt said in an interview early this week.

Some of his constituents have no financial flexibility, he said. “By the time the time comes for your income support, which is once a month, you’re down and out, you don’t have any dollars.”

The territory’s chief information officer says the government computer systems he controls have an outsized effect on people’s lives. “The territory spans over nearly two million square kilometres, 25 remote communities and there are no terrestrial links, either cable or roads,” Mr. Wells said in an interview.

He said Nunavut has been getting cybersecurity advice from the federal government, both before and after the attack.

The new federal Canadian Centre for Cyber Security has “been in contact with the government of Nunavut,” a spokesperson said. “The Cyber Centre continues to monitor new forms of ransomware, and shares tips and information with partners across Canada to help mitigate risks.”

Early this year, the city of Stratford, Ont. − with a population of 31,000 – said it paid a ransom for its data. “The City paid a total of 10 Bitcoins, which were valued at $7,509.13 each at the time, for a total payment of $75,091.30," the city said in a statement.

Police rarely catch ransomware gangs, according to David Masson, the Canadian representative of Darktrace, a cybersecurity firm.

“If the bad guys have done their homework, they would realize that ‘If we hit this provincial government or if we could hit this municipality, you know we could do quite a bit of damage,' ” he said.