Ryuk, named after a character in the manga series Death Note, represents an evolution in ransomware that’s either learning from, building on, stealing from, or paying homage to the targeted malware that’s gone before.

It’s as Easy as This…

Sometime in late 2019, an employee with the Saskatchewan Health Authority (SHA) plugged a personal device into their work computer to charge it. The device had a file infected with the Ryuk ransomware package. While connected, they opened a file on their personal device. It was as simple as that.

Between December 20, 2019 and January 5, 2020, hackers were able to gain access to SHA’s entire  system. Some 50 million files were affected. Over half a million files containing personal or personal health information and over 50 Gb of data were exfiltrated by the hackers to locations in Europe.

The “Findings”

When initially reported, the government claimed that no personal data had been stolen. About a month later, the government back peddled on this claim.

The province’s Information and Privacy Office (IPO) investigated. Almost a year later, Commissioner Ron Kruzeniski identified three “missed opportunities” to thwart the attack:

1. eHealth, a branch of SHA, did not provide sufficient notification of the ransomware attack and its impact on the department;
2. eHealth did not provide timely notification of the breach to SHA or the Ministry of Health; and
3. The employee who was charging a personal device lacked training in SHA’s “Acceptable Use of Technology Assets” policy and had previous warnings in their personnel file that had been ignored by their manager and other bosses.

Kruzeniski called for eHealth to have its employees and partners complete cybersecurity and privacy training on a yearly basis.

Analysis

This is a significant breach and possibly one of the largest in Canada in 2020. The government’s recommendations are no doubt well considered as the investigation took a year to complete. But the recommendations are weak. They are more a case of how to close the barn door more quickly once the horses have gotten out.

What did this hack cost the Government of Saskatchewan? That will never be known, but we can extrapolate from other breaches. The insurance industry estimates the cost of compromised personal data at $150 USD/person (or about $197 CAD). This includes the cost to investigate, report, mitigate the risks, inform affected users, and pay related fines, and recover the system(s). For 547,145 users’ files, this cost comes to over $107 M CAD.

Organizations entrusted with personal, health or financial data of their clients have a very large obligation to safeguard that data, a duty that was failed in this case.

Lessons Learned

This story is stunning in its impact. But there are lessons we can all learn from this story for when (not if) it happens to our business:

1. Having all employees regularly complete and be evaluated on cybersecurity skills and awareness is critical. Most attacks initiate with a insider’s ignorance or lack of understanding of the risks. Annual training is not enough. Regular training means combining training with periodic drills and exercises. Employee performance needs to be captured and monitored. Employees who show a lack of interest in cybersecurity practices need to be managed until their performance improves. In one example that Atlas is aware of, after training was completed, the company launched a fake phishing attack claiming to be from the company that managed the corporate parking garage. The email asked users to renew their parking contract and supply their personal credit card number. Users who failed the exercise had a very real example of how much cyberattacks could cost them personally and were then required to retake the training.
2. A simple USB charging port connected to a wall power outlet is a low-cost alternative compared to the risks of allowing users to pony a USB cable to their work computer.
3. When an attack happens, do you have a plan on how to respond? Conducting regular table-top exercises with your management team is a great way to feel comfortable and respond more appropriately when a crisis emerged.
4. General security best practices seem to have failed here. Ransomware attacks can still happen but “Next Generation Firewalls” (NGFW) are often able to identify unusual behaviour like sending large packages of data to Europe. NGFWs aren’t necessarily worthwhile for every business but they aren’t all that expensive and may be worth the cost if your business depends on managing your customers’ data.

Getting Started

If you want help managing the risk of ransomware attack and helping prepare your business to respond if and when an attack happens to you, Atlas Solutions has tools and experience to help. Reach out to us.