You probably noticed that the ACAO office closed a little early in December, and that we’ve had a slow start this January. If you called in or visited the website to find out more, you will know that our server was down, and that we were unable to access your data. Although lack of access was not the best way to finish off the year, it was necessary to lock down your sensitive information while we suffered an unprecedented digital attack.
On December 18th, 2018, we shut down our server when hackers used a ransomware virus to encrypt our data and hold it hostage. The virus was discovered and quarantined in the same day, and the server was shut down to prevent further access, and allow our technical support to take stock of what happened. The server is a shared space, and a few other organizations were also affected by this attack; consequently, we were not the only ones who needed help during the restoration period, which is part of the reason it took so long.
For several weeks we were unable to access our emails, database, internet, and many other important functions that we need to carry out our daily operations. During that time, the Edmonton Cyber Crimes unit worked with our server host to determine the nature and source of the attack and the extent of the damage.
What is Ransomware
Ransomware is a type of malicious software virus that hackers use to infect a computer, encrypt data, and then demand payment in exchange for the decryption key. Once a ransomware attack has been carried out, the data is difficult to recover. There is no guarantee that the hackers will follow through on unlocking data once the ransom has been paid, and there have been several reports of mismanagement, where the decryption key is never provided or does not work.
Some ransomware spreads automatically through emails or downloaded files, while other strains are implanted manually by hackers. The strain we were hit with was the latter kind, which means that hackers had brief access to some of the files they encrypted. At this time, it is unclear whether they copied those files or merely encrypted them, and shutting down the server enabled us to cut off any additional access while the threat was being handled.
The ransomware note demanded $120,000 to recover the encrypted data, and for a short time we considered trying to pay it. However, this particular strain of ransomware attack has a poor track record for following through on the promise of restoration, and instead the hackers often ask for more money once the organization has paid. The EPS Cyber Crimes unit also recommended that we do not pay, as it encourages criminals to continue using ransomware attacks in the future. Taking this into account, we have instead turned our attention to other methods of recovery.
Our organization keeps daily backups of our files off-site. Unfortunately, both our primary site and the off-site backup facility were attacked at the same time, which is a very unusual occurrence. Consequently, even though we had backups prepared in case of emergency, we will not be able to recover all of our data to the state it was in when we originally lost it.
It’s disheartening to lose so much work, but there is a silver lining. Some of the best news is that even though we lost our daily backups, we have a separate backup of our entire server from when we upgraded it 6 months ago. That’s still half a year of data lost, but it’s infinitely better than having to start from scratch. Some additional good news is that we have a spreadsheet that we took from the database for another purpose that can be used to update most member files to within a few weeks of the attack.
We Appreciate Your Patience
Those two pieces alone will make recovery go a lot smoother, but it’s still going to take a while, and we will need help from all of you. Although we will be able to recover a large portion of our data, there will be things we cannot get back, and we may need to reconfirm information that you have previously sent to ensure that your files are up to date. We thank you in advance for your cooperation and patience, and we’ll do all we can to hurry this process along.
What You Can Do
We are fairly confident that the hackers’ primary goal was to encrypt our data for the purposes of extortion. Copying all of our files would have taken longer than their temporary access allowed, and ransomware attacks typically encrypt data in place, rather than removing data. Although it’s unlikely, there is still a risk that sensitive information may have been exposed during this attack. We are continuing to investigate and will alert you of further actions if necessary, but in the meantime, we encourage you to take general steps to ensure your security.
Whenever you encounter an online breach, it’s a good idea to follow these general steps:
- Be vigilant and question suspicious requests: If you ever receive a phone call, e-mail, or letter asking you for sensitive information, question the reason they would need to know, and consider how the information may be used to compromise your identity. This is a common scamming tactic, and usually takes place over the phone or by email. For example, if you receive a phone call that claims to be from a government agency asking you to confirm your sensitive information, or demanding that you pay for something by credit card over the phone, do not tell them anything. Hang up and call the official number to ensure that you are speaking to the right people and that the request is genuine. Even e-mails that seem to come from a genuine source should be treated with suspicion if they ask you for sensitive information, or link you to a page that asks for sensitive information.
- Change your passwords: It’s a good idea to change your e-mail passwords, banking passwords, and other sensitive online account passwords every few months, and whenever you encounter a possible breach, to ensure that hackers can’t gain access to your accounts. Choose passwords that have a variety of character types and are not easily guessed.
- Watch for fraudulent purchases: Keep an eye out for purchases you didn’t make. If you notice any suspicious credit card activity, contact your bank immediately.
We understand that you may have questions and wish to speak to someone to find out more. The office staff will be busy with recovery, and has limited understanding of the whole scope of what has happened, so the registrar has asked that you direct your questions to Maureen@acao.ca.