Skip to main content

Ashley Dawson has a MA in political science from the University of British Columbia, where she wrote her thesis on cyberwarfare.

This week, the University of Calgary paid $20,000 to restore its e-mail services and other files after a ransomware attack. The ransom, paid to prevent the potential loss of valuable research, not only highlighted the vulnerability of Canadian communication and information technologies, but also showcased the latest trend in cybercrime: a new "business model" that leaves individuals and businesses fending for themselves or footing the bill.

Ransomware, a form of malware that blocks computer access through encryption of files, has become a favourite among cybercriminals. Earlier this year, the Canadian Cyber Incident Response Centre issued a joint alert with the U.S. Department of Homeland Security warning about its proliferation.

According to a recent report by security firm Symantec, Canada is the fourth-most commonly targeted country, with 1,600 ransomware attacks a day in 2015. Most of these attacks involve relatively small amounts, from $1,500 (in the case of one Ontario charity) to $20,000 in the Calgary attack.

The recent surge has little to do with new technologies and everything to do with economics: Because of the prevalence of large data breaches, there is surplus of private information available for sale on the dark net, driving down the cost of stolen information. For example, a stolen credit-card record that cost $25 in 2011 is worth $6 in 2016.

Cybercriminals are facing diminishing returns for their efforts. So to keep cybercrime profitable, they needed to find a new contingent of potential buyers willing to pay higher prices for stolen information, and so they did: us.

This new business model is ideal for the risk-averse criminal who wants to maximize profit and reduce uncertainty. Traditionally, the riskiest part of cybercrime is monetizing the stolen data – finding a buyer on the dark net, using a credit-card number before it's cancelled, hiding profits from police. Through coercion, and assisted by the innovation of bitcoin, cybercriminals can now turn seemingly worthless information into a lucrative undertaking.

This technology is easy to access and almost untraceable. Ransomware is freely available for download online and requires minimal skill to deploy. Hackers, often living overseas, gain access when victims inadvertently download the ransomware by clicking on attachments or links in messages from unfamiliar e-mail senders.

Although ransomware has gained a recent popularity, attacks have been reported in Canada for more than a decade. Countries such as United States and Britain have had some limited success in laying charges, but there are no documented cases of ransomware prosecution in Canada. This may reflect the complicated legal status of prosecuting foreign nationals for domestic offences. The bottom line is that while individual ransomware attacks yield relatively small returns, they are very inexpensive to launch and come with almost zero risk of prosecution.

Ransomware is not a priority for the government. The federal Liberals' 2016 budget committed $100-million to cybersecurity for the next five years and plans to introduce a new Protection of Canada's Vital Cyber Systems Act. But the act, and government funding more generally, focuses on securing large public cybersystems such as government data and utilities. This increasingly leaves businesses and individuals to fend for themselves.

So if you can't call 911, how do you deal with ransomware attacks? As the Calgary attack suggests, once they happen, you may have no choice but to pay the ransom. So the best response is prevention. Back up your files in a secondary location, use spam blockers on your e-mail and don't open attachments from people you don't know.

Cybercriminals are evolving their business models as well their technologies. Ransomware is the next step in this evolution.