What to do when your business is being held ransom

Ransomware is holding computers hostage across the world. For many businesses, the choice is clear: lose files or pay up

Credit: Peter Holst

Sophos’s Chester Wisniewski


Ransomware is holding computers hostage across the world. For many businesses, the choice is clear: lose files or pay up

In June, the University of Calgary fell victim to a cyberattack, in which its email server was encrypted and millions of files were locked. An unknown person or organization demanded $20,000 ransom, and the university paid up. There were 1,800 faculty involved in the breach, facing the potential loss of valuable research. According to one Vancouver security expert, the university’s decision is unfortunate but understandable.

“Encryption works,” says Chester Wisniewski, a researcher in the Vancouver office of global Internet security firm Sophos Ltd. “The criminals that are doing it properly, they’re doing it the same way as we’re doing it commercially, or the government is doing it. There’s no undoing it—you either get the keys from the criminal, or your files are gone.”

University of Calgary’s experience with ransomware—an intrusive software, or malware, that prevents a user from interacting with files, applications or systems until a ransom is paid—drew attention to a threat that has increasingly plagued businesses and individuals around the world. According to recent reports by the Canadian Cyber Incident Response Centre and the RCMP, cybercriminals are frequently targeting institutions, hospitals, dentists and law firms.

Wisniewski, who dropped out of high school at 15 and started hacking computers in the ’80s (“when it was interesting and legal”), has followed the progress of shadowy ransomware perpetrators since the first documented incident in 1989. Then, Joseph L. Popp, an American biologist, distributed a floppy disk to people who believed they were getting information on AIDS. The disk infected computers with a virus, locking files, and users were instructed to send $189 to an organization in Panama to receive another disk that would decrypt their files.

In 2006, “fake anti-virus programs” started circulating. A message would tell the user that viruses had been found on the computer, and if they paid up, it would be cleaned out.

The current iteration of ransomware began in 2013, this time aided by the anonymous digital currency Bitcoin. Now, says Wisniewski, the cyberfraud perpetrators run their scams like a business. They price test, sending out various versions of a malware with different prices to see what the market will bear, and seem to have arrived at a “sweet spot” between $300 and $500. They seem to contract their services, as the same messages (“We attempted to deliver a package to your home. Please open the attachment…”) often appear with different viruses. They have service-oriented instructions about where to find Bitcoin ATMs and tech support offering live chat.

Wisniewski warns people to back up their files, use anti-virus software, keep all programs and operating systems updated, and warn employees about opening suspicious attachments. “If you’ve got three or four different protections running and they’re all 80 to 90 per cent successful, then you’ve minimized your risk,” he says. “But anybody that tells you they have a solution is lying. These are hard problems to solve.”