Skip to main content

A security officer stands watch at a data center in Las Vegas, May 11, 2010.ETHAN PINES/The New York Times

Canada and its "Five Eyes" intelligence alliance are mounting a major effort to track cybercriminals who are using a type of malware known as ransomware to hold sensitive data as hostage in return for ransom payments, generally in untraceable bitcoins.

The problem is global in scale and security experts estimate such ransoms total hundreds of millions of dollars a year.

Ransomware in real time: How hackers infiltrate secured systems

"The Five Eyes ... have gathered intelligence and co-ordinated, and the trend seems to be the industrialization of cybercrime," said RCMP Chief Superintendent Jeff Adam.

"It is no longer the kid in the basement doing to it to a couple of his friends. It is systematic. It is organized. It is international and it is actually loosely knit," Chief Supt. Adam said.

It is the first acknowledgment that the Five Eyes club, which also includes the U.S., the U.K., Australia and New Zealand, is using its secretive electronic-intelligence-gathering assets to go after cybercriminals. Normally the alliance targets and searches for suspected terrorist plots, traditional state-to-state espionage and state-sponsored cyberattacks.

The Canadian Cyber Incident Response Centre (CCIRC) is aware of 1,762 cybersecurity-related incidents last year, including thefts of intellectual property from foreign governments and a significant rise in the use of ransomware.

"Ransomware encrypts all the information on an affected system, demanding a ransom be paid in exchange for the key to decrypt the information," Colleen Merchant, director-general at CCIRC, recently testified before the Senate committee on national security and defence. "These attacks are likely to increase in frequency, as the payouts are lucrative for the malicious actors behind this activity."

The recent surge in ransomware has reached such levels that the U.S. and Canadian governments released a rare joint statement in March to educate individuals and businesses about the growing threat.

"Infections can be devastating to an individual or organization and recovery can be a difficult process that may require the services of a reputable data-recovery specialist," according to an alert distributed by the CCIRC and the U.S. Department of Homeland Security.

Chief Supt. Adam, director of the RCMP's technical investigative services, said cybercriminals – usually based abroad – go after soft targets such as hospitals, dentists, law firms and doctors.

"We are seeing ransomware as a worldwide problem," Chief Supt. Adam said. "We have some in the United States, for example, and a couple of incidents in Canada where organizations have been targeted, have had all of their operational or business interest files rendered encrypted and were unable to decrypt them without … backup processes, rebuilding them from scratch or, in some cases, paying ransom."

In some cases, Chief Supt. Adam said some cybercriminals will use ransomware to hack into personal computers and threaten to destroy family photos unless they are paid off in bitcoin.

It's difficult to nab many of these cybercriminals, who may use a decoder in Malaysia while the command and control centre could be in Germany.

A report by the Cyber Threat Alliance said ransomware was responsible for 406,887 attempted infections between January and November, 2015, and accounted for $325-million in ransom payments around the globe. Ransom payments must be paid in bitcoin, a digital currency which allows the cybercrooks to remain anonymous.

The Ottawa Hospital acknowledged in March that hackers used ransomware to attack four of its computers but no payments were made after its IT department was able to wipe each computer driver. In February, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom in bitcoins equivalent to about $17,000 (U.S.) to hackers who infiltrated and disabled its computer network.

In 2013, the RCMP received over 4,400 reported incidents of cybercrime: an increase of more than 40 per cent from 2011. In the U.S. last year, there were 2,453 reported ransomware incidents in which victims paid about $24.1-million.

RCMP Sergeant Guy Paul Larocque said Canada doesn't have accurate figures on how much ransom money has been paid to cybercriminals because he estimates only about 5 per cent of crimes are reported to the police.

"We don't encourage anybody who has been targeted or victimized to pay the ransom," said Sgt. Larocque, who handles major fraud. "If someone decides to pay there is no guarantee that your files will get unlocked and there is also the risk that if the infection is not gone from your computer, the encryption of your files can occur at a later day and you will have to pay another ransom."

The best protection against ransomware is to frequently back up the data to an external device, updating computer software protection and avoid clicking on unknown links.