November 2020, City of Saint John officials confirmed there had been a significant cyber attack, forcing it to shutdown numerous online services, including payment systems, email accounts and the city website. While the city has confirmed the attack itself was ransomware, officials have declined to specify the amount demanded or the systems affected, leaving most of its citizens with lots of unanswered questions.

The City of Fredericton, 100 kilometers (60 miles) away has disclosed that they have seen a massive spike in phishing attempts within days of the Saint John cyber attack. This is because attackers will target a geographic area where their initial attacks have been successful.

Background

On November 13th, 2020, during routine monitoring, some unusual activity was discovered on the city’s networks. Responding to the security event, the immediate response was the shutdown of all online resources in the City of Saint John.  Immediately thereafter, a team of experts began to investigate the situation in hopes of identifying the systems impacted.

In an attempt to reassure citizens, city manager, John Collin held that there was no evidence to suggest that anyone’s personal information had been compromised, assuring the population that they would be kept up to date with all developments. While no concrete timelines have been laid out, Collins warned that restoration of impacted services would take weeks.

Weighing Options

As of now, the situation remains critical with no decisions on recovery proceeding having been made. However, has Collin ascertained that all options to restore remain on the table, including paying of the ransom. City officials continue to weigh their options, working with third-party vendors, law enforcement, legal experts and the city’s insurance provider.

Transparency and Defence

Just as Collin and the City has remained relatively vague in providing details on the attack, the release of details has become a sensitive issue. While the City seeks to instill as much confidence and clarity in its citizens as can be had, providing too much information may well compromise the city’s position further. Providing too much detail to the public may challenge the success of the containment and recovery efforts as authorities have not ruled out the possibility of further attacks. In fact, Collin has acknowledged that advertisement of the attack, alone, has instilled heightened interest in Saint John as a target already.

Ransom: To Pay or Not to Pay?

While unfortunate, the cyber attack on Saint John is not the first Canadian municipality to suffer a cyber attack. In April of 2019, the City of Stratford experienced a similar attack involving ransomware. In this particular case, the ransom was $75,000. Under pressure from the insurer, the city ultimately paid the ransom. As the Mayor of Stratford, Dan Mathieson, indicated, the insurance company has a heavy influence on the decision as coverage may depend on it.

In a similar scenario, also in 2019, Lake City, Florida was also the victim of ransomware, to the tune of $600,000 US, which was inevitably paid on account of heavy influence from the insurer.

It is for this reason that many, police services included, have argued that cyber insurance itself is fueling cyber crime.

As expected, the idea of paying the ransom is not the favored option of law enforcement. The FBI, for example holds the strong opinion that the ransom should never be paid, and should be avoided at all costs. There are several reasons for this. First, in paying the ransom, there really is no assurance that the threat itself will go away, nor do you have any confidence that the information has not already been duplicated for nefarious purposes. As well, paying the ransom is directly incentivizing future attacks. Finally, this sort of behavior may reflect poorly to neighboring countries, including our allies, south of the border.

In addition to the ransom itself, every breach scenario always involves a significant investment in security measures to avoid suffering similar attacks, in future.  It is for this reason, many cyber security experts, and top tier CISOs have significantly increased security budgets across the world in the last 5 years.

The Road to Recovery

After the dust has settled, decisions have been made and details revealed, The City of Saint John will inevitably seek to put the pieces back together. Provided the City has kept adequate backups, a gradual restoration to normal operations should be a straightforward experience. How long that may take will come down to the City’s initial level of preparedness. Unfortunately, the damage to citizens trust level may take years to recover. The obvious questioning as to why security was not proficient enough to prevent the breach in the first place is inevitable.

A Penetration Test is a cyber-security attack simulation that prepares organizations for a cyber attack and helps identify vulnerabilities before a breach. If you would like to learn more about how Packetlabs can secure your organization from cyber threats, please contact us for more information!