While the first wave of damage from last week's "WannaCry" global cyberattack has started to recede, the extent of its reach in Canada is still being revealed, as experts warn that further damage could come from more sophisticated variants of the ransomware.
The incident's halt, however, may only be temporary, with more versions of the malicious software already popping up – highlighting the need for a new approach to security among all parties involved: individuals who leave their computers vulnerable, software suppliers such as Microsoft Corp. that stop supporting older platforms that are still widely used and governments that hoard critical security flaws to preserve their usefulness in offensive cyberspying tools.
"There's got to be a better solution than what we do right now, which is just scramble every time one of these things pops up," says security expert Mark Nunnikhoven, vice-president of Cloud Research with Trend Micro Inc.
"Regulation might be a part of it, whether that's regulating users or the IT industry itself."
This version of ransomware, malicious software that encrypts data until a victim forks over cash – in the form of the digital currency Bitcoin – began spreading widely Friday, though it was apparently stalled on the weekend as a British researcher registered a domain name that activated a "kill switch" in its code.
A spokesperson for European Union law-enforcement agency Europol said the attack had struck just under 200,000 victims across the world by Monday morning. That number was revised downward from earlier projections, though the agency said it expected a "spike" in reports to come. "We know this is not the end of it," the spokesperson said.
The ransomware, in this case, is a "worm" – a program designed to spread as widely as possible by connecting with other computers from an infected one.
"WannaCry" is believed to be spreading over the Internet – without requiring victims to open a malicious e-mail or download a corrupt file – by using a security exploit called "EternalBlue" stolen from the U.S. National Security Agency. Microsoft president Brad Smith wrote a scathing blog post that "WannaCry" was "yet another example of why the stockpiling of vulnerabilities by governments is such a problem."
"EternalBlue" targets a vulnerability in all Microsoft operating systems that predate Windows 10, and the company released a fix for the flaw in March. However, it wasn't until Friday that the company publicly released a patch for Windows XP and Windows Server 2003 operating systems, which the company had ended support for in 2014 and 2015, respectively. Mr. Nunnikhoven shared estimates that more than 10 per cent of Windows PCs are still running XP, and 18 per cent of servers are running Windows Server 2003.
Experts such as Atefeh Mashatan, an assistant professor of information systems security at Ryerson University, are questioning whether Microsoft should have released its patch for all systems, and reconsider its policies not to offer regular security updates for obsolete software. "If it has ramifications as big as this, why don't they pro-actively release a patch?" Dr. Mashatan asked.
Such large organizations as Spain's Telefonica SA and Fedex Corp. are among the high-profile global victims of the ransomware, though no major companies have reported infections so far in Canada. On Friday, Lakeridge Health hospital system in Oshawa, Ont., just east of Toronto, noticed the virus in its system, though a spokesman said the company's anti-virus software immediately caught it, and that neither patient care nor medical records were affected.
Observers have pointed out that Canada seemed to avoid the brunt of the early infections, but according to Mr. Nunnikhoven, who has seen country breakdowns, "It seems to be essentially random that it didn't hit North America as hard [as the rest of the world], there's no evidence pointing us to a specific cause."
Cybersecurity lawyer Imran Ahmad, a partner at Miller Thomson LLP in Toronto, said his firm got a spike in calls about security breaches last weekend, with two "definite" cases of ransomware attacks, though he could not confirm the WannaCry software was responsible. While he could not name the companies for confidentiality reasons, he said they were both small or medium businesses, one of whose operations were "completely paralyzed" by the attacks.
Mr. Ahmad said that one was unable to complete transactions over the weekend and was considering paying the ransom, worth about $300 (U.S.) in the bitcoin cryptocurrency for each infected computer.
Elsewhere, CTV news reported that the ransomware appeared on an apartment building's lobby computer.
Canadian universities raced this weekend to put in defensive measures to prevent WannaCry attacks, said David Shipley, a cybersecurity consultant and director of strategic initiatives for IT at the University of New Brunswick. The measures included software security patches, limiting file-sharing traffic, updating e-mail filters, double-checking backups and sending out community advisories.
"There's no perfect answer" for a company forced to decide whether to pay the ransom from this kind of malicious software, Mr. Ahmad said. It requires a case-by-case assessment – the $300 loss might significantly outweigh the losses of stalled business, depending on the size and type of company.
But it can also be an incredibly dangerous idea: You have to trust the hacker to follow through on their word to unlock your data, to not corrupt it and to not go back and hold it for ransom again a few months down the line. Other computers on the network could still be affected, too.
David Fraser, a technology and privacy lawyer with McInnes Cooper in Halifax, said paying the ransom only encourages the malicious-software developers, but that it is a tough call from a pragmatic standpoint. "I'm not aware of anyone who has been able to brute-force get their data back."
Still, giving in only propagates the problem: "By paying the ransom, you're encouraging the trend," Dr. Mashatan said.
If anything, the high profile of this wave of ransomware attacks should encourage companies and computer users to steel their systems, as more sophisticated iterations are bound to come in its wake.
"Whoever did this made a number of really sloppy mistakes," Mr. Shipley said. This includes the kill switch that supposedly put an end to the first iteration Saturday – "that was really sloppy, if they wanted to have an impact."
The Government of Saskatchewan said Monday it was "experiencing a malicious attack" on its network that caused numerous issues, but Deputy Minister of Central Services Richard Murray said midday that no ransom request had been made.