Canada is plagued by Bitcoin ransoms—and there’s no help in sight

Governments, corporate giants and individual Canadians have quietly paid tens of thousands to perpetrators of a fast-spreading new cybercrime. Here’s how one small Ontario town got burned.

At first, it looked like nothing more than a standard computer virus. It was Monday, the last day of April, and Jocelyn Lee, the treasurer of Wasaga Beach, Ont., arrived at town hall around 7:45 a.m. She’d followed most of her typical morning routine, stopping at Tim Hortons for a bottled water and a muffin—she doesn’t drink coffee—before heading to the town office where she starts most work days by checking her email and calendar. On this day, however, Lee’s first priority had been to return files to her computer that she had taken home to work on.

When Lee plugged in her USB, before she transferred her own work, she noticed that each file on her computer came with a duplicate, ending with .java—her first inkling that “something was not right,” she says. In another part of the building, George Vadeboncoeur, the town’s chief administrative officer, was experiencing the same problem. He clicked on files only to discover there was nothing in them. The screen came up blank. “Maybe I saved it wrong,” he thought. Neither felt it was something to worry about, figuring that somebody from IT, with greater computer knowledge, would be down from the top floor in a moment to deal with it.

Meanwhile, other members of town staff began reporting “funny” messages on their computer screens, saying that their files had been encrypted. They were advised not to use their computers; whatever infected them had crippled every department. As a precaution, the town’s server was quickly disconnected from the network connecting Simcoe County. “It was instant. Unplug. Boom,” Lee says. The IT team spent the day trying to decrypt the locked data, but it soon became clear that nothing was going to work. They weren’t dealing with a virus. This was something bigger. Wasaga Beach was the victim of an attack.

“As it kind of evolved, there was this moniker put on it. It’s ransomware,” says Vadeboncoeur, who had never heard of the term before. By 9:30 a.m., the town had declared the situation an emergency.

Wasaga Beach Treasurer Jocelyn Lee is photographed outside the Treasury office at the Wasaga Beach municipal officers on Thursday, August 16, 2018. (Photograph by Cole Burston)

Ransomware—a malicious malware that infects the host and its network, locking files until a ransom is paid—has become arguably the greatest threat to the digital networks on which the modern world depends. Hospitals, corporate giants, small businesses, cities and regular individuals have fallen victim to this expanding sub-genre of cybercrime. The perpetrators can be anywhere on the planet; finding them is as difficult as prosecuting them. Ransoms are paid in cryptocurrency—namely Bitcoin—which can make the transactions untraceable, while defying attempts by authorities to assert jurisdiction. The vast majority of these crimes are not local, and Canadians are increasingly among the prime targets—for a country that relies heavily on digital networks, much of our corporate sector has failed to keep pace with evolving cyberthreats.

Stories of ransomware attacks have been shrouded in mystery—in part because victims choose to remain silent. The Canadian Anti-Fraud Centre (CAFC) estimates that only five per cent of ransomware losses are reported to the centre: so far in 2018, the CAFC reports that Canadians have lost $48,000 in Bitcoin ransoms, up $20,000 from the year before. “I think with cybercrime generally—and ransomware is a significant element of it—the victims of the crime are quite ashamed in some cases, and reluctant to come forward,” says Supt. Mark Flynn, the RCMP’s director of cybercrime. Others fear repercussions, such as the gnawing possibility that their businesses or personal lives could suffer.

South of the border, the growing rate of attacks is considered a global phenomenon. A 2017 report from Cybersecurity Ventures referred to it as the “ransomware epidemic,” while predicting that cybercrime will soon be “more profitable than the global trade of all major illegal drugs combined.” Around the world, more than 100,000 computers are infected daily, according to FBI estimates, while the total annual amount of payments is approaching a milestone: US$1 billion.

FROM MONEYSENSE: What to do if hackers hold your computer for ransom

The day after the attack, Wasaga Beach informed the RCMP, the Ontario Provincial Police and the province’s information and privacy commissioner of the incident. The town brought in security experts, but their tools didn’t work and decryption was deemed impossible. “All of your files are locked,” read a message on computer screens throughout town hall, which went on to instruct them to contact an email address. “When you have a machine that’s locked, it gives you a number,” Lee explains. “And you have to communicate that number to the cybercriminal so that they know what computer it is.”

Lee sent the number.

She received an eerily tactical response: “Tell us about yourself.”

“,” she wrote back.

Lee adds: “In other words, you can’t hide who you are. You have to disclose yourself before they will engage with you.” The mystery person on the other end demanded 11 Bitcoin for the decryption key. At the time, a single Bitcoin was worth nearly $13,000, meaning Wasaga Beach, pop. 20,675, was looking at a $144,100 hit to its treasury. The next move was theirs.

In recent years, ransomware attacks have occurred in relentless succession. Lee and her colleagues had heard of the high-profile cases, the ones that made headlines, but were unaware of any other municipalities who had gone through the same thing. They felt as though they were going in blind.

Listen to Kyle Edwards talk about Bitcoin ransoms on The Big Story podcast.

Learn more at The Big Story Podcast.

In 2016, the University of Calgary paid a $20,000 ransom to get its files back. A few months earlier, in 2015, a local Calgary wine business coughed up $500 in Bitcoin. Earlier this year, the City of Atlanta was hit by a large-scale attack, which forced its departments, including police and municipal courts, to revert to the old way of doing things: working on paper. (It’s not clear whether the city agreed to pay a Bitcoin ransom worth roughly US$50,000; estimates suggest the city has spent nearly US$3 million recovering from the attack.) Recently, it was reported that shadowy bandits had attacked the PGA Tour a few days shy of a major golf tournament.

More worrying still, cybercriminals are increasingly going after health care facilities and social services. In January, Hancock Regional Hospital in Greenfield, Ind., paid about US$55,000 in Bitcoin to attackers at the height of flu season. Around the same time, in the span of three months, two children’s aid societies in Ontario were hit; one of them, the Children’s Aid Society of Oxford County, paid $5,000.

Lee and Vadeboncoeur had never dealt in cryptocurrency, much less used it to pay a ransom. Bitcoin—a decentralized, digital currency that bypasses governments, central banks and third parties—is the preferred medium of exchange for many cybercriminals, largely because of elements that can make cryptocurrency transactions untraceable. (Bitcoin’s founder is equally enigmatic: said to be someone, or something, named Satoshi Nakamoto, though the creator has never been identified.) Cryptocurrencies like Bitcoin were designed to be anonymous: a person’s 33-character address doesn’t necessarily reveal their identity, but every transaction is recorded on the blockchain, a public ledger, and remains there for as long as the blockchain exists. Bitcoin is used legitimately by law-abiding citizens, who can spend it on everything from flights and hotels on Expedia to Lamborghinis in California. But its rise and popularity has also allowed ransomware to thrive, says Allan Liska, an analyst for Recorded Future, a technology company based in Somerville, Mass., specializing in threat intelligence. When a ransom is paid, criminals “can easily launder that through an exchange by changing it to multiple other cryptocurrencies [like Monero] and then eventually dumping it into a bank in small amounts,” he says. If you’re smart, Liska adds, you can do all that “and not get tagged by the banking regulations that are in place. There are multiple ways to get the money out of there without it immediately being traced back to you.” Liska lists Estonia and Russia as two of the places to which he’s traced cybercriminals; whether that’s where the culprits lived is anyone’s guess.

Ransomware, as a criminal enterprise, is older than the currency that has propelled it. One of the first known attacks occurred in 1989, before the days of email and when the internet was embryonic. As the story goes, Dr. Joseph L. Popp, a biologist with a Ph.D. from Harvard University, distributed 20,000 contaminated floppy disks at a World Health Organization AIDS conference. Attendees from 90 countries accepted them, believing each contained a survey that could determine a patient’s risk of contracting AIDS. It’s a tale that reads like an urban legend. The disks encrypted users’ computer files and instructed them to mail US$189 cheques to a P.O. box in Panama. Even after Popp was caught by the FBI, his motivations were never made clear: a judge later ruled he was mentally unfit to stand trial.

READ MORE: My nightmare trip to Bitcoin hell and back

Lee had heard the story, but today’s cyberattacks are launched in different ways. The town can’t say for sure, but it’s believed theirs came from a phishing email—a message, usually sent at random, masquerading as a contact known to the victim. Phishing schemes are large operations akin to throwing a net into the ocean and waiting to see what it catches. “It’s an economy of scale,” says Bill Dunnion, director of cyber-resilience with Calian, an Ottawa-based consulting firm. “It’s more fire-and-forget. How many people can we load into the hopper? Let’s fire it out and see what sticks.” In most cases it’s nothing personal. But some extortionists will spend time looking for weaknesses among high-profile targets who are likely to pay. “They launch these massive scanning campaigns,” Liska says. “Literally hitting hundreds of millions of IP addresses, looking for those organizations that have vulnerabilities.”

In the days after the attack, Wasaga Beach scrambled to organize itself. Eleven servers containing financial information, historical and official records, everything that made it one of the most popular beach towns in Ontario, was locked away. Its two backup systems, located offsite, were also encrypted. Departments that relied on computers the most—like planning and development, which operated at 55 per cent productivity—were hit hardest. Staff were forced to work off their phones. “You had to be a little creative and go back to your paper ways of doing things,” Lee says.

But beyond town hall, she adds, the community didn’t notice a difference; Wasaga Beach notified its roughly 20,000 townsfolk on social media that they were experiencing technical difficulties. Residents could still buy dog tags and pay their taxes. “Grass was still getting cut in the parks. All departments were still providing those core services that we do as a municipality,” Vadeboncoeur says. “It was internally we were dealing with it.” The biggest risk to the town was its inability for two weeks to respond to so-called “locate requests,” a provincial service that ensures homeowners and excavators can safely dig without hitting gas or utility lines. To its relief, the public works department didn’t receive any emergency requests during that period.

Computers and laptops, meanwhile, were scrubbed before they could be used again. The short-term goal was to get each department at least one working machine. For Vadeboncoeur, it all felt like a scene made in Hollywood. “You’re experiencing something where the only comparison that I could make was a spy movie,” he says. Lee adds: “You’re communicating with cybercriminals. That’s not something you expect to be doing.”

Lee was in charge. She oversaw the IT team, and for an entire month—including evenings and weekends—navigating the ransomware attack became her full-time job. She exchanged emails with the anonymous extortionist three or four times, with an eight-hour window between each message, which led her to believe whoever she was communicating with was on the other side of the world. There were nights Lee found herself unable to sleep, so she’d open up her computer “and there,” she says, “was the message.”

Still, the decision about whether to pay was up in the air. Town managers heard horror stories of people who handed over money and received nothing in return. The RCMP, the OPP and the federal government’s Canadian Cyber Incident Response Centre (CCIRC) do not recommend that victims pay ransom. (The CCIRC, which works with municipalities, provinces and private sector organizations, declined a request for comment.) When Wasaga Beach staff sought advice from its bank, the bank informed them that, of all its clients whose data had been held captive by ransomware, only one was denied a decryption key after payment. “We knew it was a risk,” Lee says. “You’re transacting with a person you’ve never met before and you’re sending money to people you don’t know, hoping and trusting, after they’ve broken into your system, that they will send you a key to unlock your data.”

David Keam, president of Best Sleep Centre, in his showroom on St. James Street, Winnipeg, on August 16, 2018. (Photograph by Whitney Light)

“Youuuu’ll find us!”

David Keam, owner of Best Sleep Centre in Winnipeg, ends every TV commercial with his company’s signature slogan. Similar words—triumphantly altered to “You found us!”—adorn the walls of his three mattress stores, known to Manitobans for 26 years. There’s no mistaking Keam for anything but a businessman: his pinstripe suit and thick moustache can be spotted from across his sales floors. But in July, he had to negotiate a different kind of deal.

He walked into his store on a Monday and noticed that his server was sitting on a desk. One of his workers told him the news. They’d received an email from the hacker, who wanted US$6,000 in Bitcoin. “I deal in Bitcoin all the time,” Keam says proudly. “I happen to be a Bitcoin person.” He admits that the hack was made possible because of a flaw in his system: the criminal could guess his password an endless amount of times until it was open sesame—likely using a computer more sophisticated than his own. Keam suspects that whoever hacked him was sending pings across the cybercosmos, waiting to see which machines were vulnerable. “The guy was out fishing and I had my mouth wide open,” he says.

Ten years’ worth of Keam’s data was suddenly locked. Recounting his stock would take hours and rebuilding everything would cost more than the ransom. He had to negotiate, and both sides eventually agreed to the equivalent of $2,000 Canadian, which came to about 0.23 Bitcoin at the time (Bitcoin is notoriously volatile, its value fluctuating by the minute). In return, the hacker deliberately gave Keam the wrong password key. “You said you were honourable and would send me what I need,” he wrote to his attacker, who responded asking for an extra $1,000. “I told him I’d give him $150 and that’s it,” Keam says. “He took my $2,150.”

The whole ordeal was resolved on the Friday of that week. “It took [our operations] back quite a bit, to about 1999,” he laughs, adding that he treated the negotiation like any other transaction and never worried for his company. At one point, the extortionist wrote to him: “We improved security of companies across the world. The reason of hacking we cant get any equal job in our place.” (The group did not respond to emailed requests by Maclean’s for comment.) Even now, Keam is philosophical—“These people are in business. If they want to remain in business then they have to supply the product that they supply”—and he has salvaged a small victory: “I was just the better negotiator.” In their last email exchange, Keam said: “Thank you for the passwords and be well in Christ. Give me a first name and I will pray for you?”

The answer: “My name is Akis. Have a nice day.”

Keam, like many victims, never contacted police, believing that the authorities wouldn’t, as he puts it, go to “India or North Korea or China or wherever to get these guys. Maybe Interpol will catch them some day.” That same sense of helplessness, the belief that law enforcement can do little to solve these crimes, resonates among other small business owners faced with similar, but more existential crises. “Are they really going to investigate a small business guy working out of his house?” says Zach, a Bitcoin ransom victim in south Ottawa who asked that he not be named, fearing what may happen if his clients knew that he’d been hit by ransomware. “I’m just another fish in the sea.”

RELATED: 10 things you need to know about Bitcoin

Zach works in the software industry and had his system infected last September. He ultimately paid the cybercriminal about $1,000 in Bitcoin to decrypt his server. He also spent roughly $10,000 to better secure his network. Because of industry friends he could rely on to help, he counts himself lucky. “For the average Joe, this would have cost a lot of money,” he says. Others, like former parliamentarian and feminist trailblazer Monique Bégin, simply couldn’t bring themselves to fork over the money.

In 2016, Bégin became the victim of ransomware after clicking on a suspicious message from an email address that contained her name. “I used to be a very logical and bright woman,” quips Bégin, now 82. She reported it to the RCMP, but she doubted they could catch the culprit. An officer told her that because she didn’t pay the ransom, no crime was committed; then she went to the Ottawa Police Service, and they seemed uninterested in pursuing her case. “It was horrible,” she says. (A spokeswoman for the Ottawa police declined to comment, saying the force does not talk about specific complaints.) After refusing to pay, Bégin’s technician wiped her computer. What hurt the most was losing her unpublished memoir: 135 pages representing more than two years of work. She struggled to put it all on paper again—“It was boring as hell”—and eventually decided that she’d relieve the monotony by rewriting it in English rather than French. Her memoir Ladies, Upstairs! My Life in Politics and After comes out in January.

The suspicion that police can do little to help victims appears to be justified: the OPP has never issued a ransomware-related charge; a spokesperson for the RCMP said questions about charges should be “directed to local police services.” But in an interview last December, Flynn, the Mounties’ director of cybercrime enforcement, told Maclean’s: “We are taking them seriously. We are investigating them. We have investigative teams in several areas across the country that are in active investigations.” When asked if he anticipated a ransomware-related charge soon, Flynn hedged. “It’s hard to say, but I’m always optimistic that we will.”

The OPP has invested money in preventing what it describes as a new “crime of opportunity,” launching a cybercrime investigations team in January that works with law enforcement in the U.S. and U.K. to track suspects. Still, Detective Inspector Rick Hawley, the head of the department, says pinpointing perpetrators is “extremely difficult if not impossible; oftentimes, if you do attribute the crime, it could be in a country that doesn’t have co-operation with Canada.” Hawley is careful not to touch on the Wasaga Beach investigation, but says they never advise ransoms be paid, nor do they help negotiate. However, you can’t be that “black-and-white about it,” he acknowledges, adding that it’s a “personal and business decision.”

A comic foreground is seen at Beach 1 in Wasaga Beach, Ontario on Thursday, August 16, 2018. (Photograph by Cole Burston)

On Day Six, the department heads of the Town of Wasaga Beach came together for a meeting in the council chamber, which doubles on a weekly basis as a courtroom. A portrait of the Queen hangs on the wall behind the judge’s seat. On this day, the town officials assembled around a table to discuss the possibility of paying the ransom. They weighed the numbers: $500,000, at minimum, to rebuild everything from nothing, over dozens of months and hundreds of hours. They questioned whether replacing all of their files—like engineering and planning drawings—would even be possible. “It didn’t take very long to make the decision,” Lee says.

The community informed residents through local media that they would negotiate. Lee exchanged offers and counter-offers with the cybercriminal. Like Keam, she likens it “to a normal business transaction.” She gave reasons behind each offer: the town is answerable to taxpayers; it simply couldn’t afford 11 Bitcoin. Finally, they settled on three Bitcoin to restore four of their 11 servers, which they determined would get them close enough to the way things used to be.

The town had a transaction ready to go, and by Day 11 had received its first key. Lee bargained for three separate payments: “Send us the first key, let us make sure it works then we’ll buy the second and third,” she recalls demanding, adding, “They understood what we were trying to do.” The town successfully decrypted its data over the next few days. Then all files were scrubbed clean—fear of another infection loomed—and transferred to a new network built by the IT department.

RELATED: Why Bitcoin is the banking industry’s newest, biggest threat

Lee went ahead with the next two payments. Of all her travails, figuring out Bitcoin was the worst. “How am I going to get this paid? How am I going to buy Bitcoin and make the transaction?” she says. “As the treasurer, that was my biggest responsibility, and I didn’t know how to do it.” The town brought in a consulting firm to help navigate the world of cryptocurrency and facilitate payments. At a council meeting at the end of May, Lee assured curious residents who filled the chamber’s seats there was no sign that any personal data had been removed from the system. She explained that the attack may have come from a phishing email disguised as the Ontario Ministry of Education, containing a PDF document that appeared official and unsuspicious. “The virus lay quiet until the early morning hours of Monday,” she said.

Wasaga Beach returned to 95 per cent “pre-incident operational capability” in the second week of June, according to a summary report by Hexigent Consulting, one of the firms the town hired. The total cost of the ransomware attack was enormous. Nearly $35,000 was spent on Bitcoin, while $37,181 more went to consultants—a number that reflects another reality: as ransomware extortion grows, so does the number of security firms looking to capitalize on it. When other costs such as staff overtime and productivity losses were figured in, the town lost $251,759 over seven weeks. “It’s coming out of the IT reserve—there was money in that reserve. It will pay for it,” Lee says ruefully.

When all of this unfolded, Lee was marking the end of her first year as Wasaga Beach’s treasurer. She had moved from Newmarket, Ont., and now, keeping a brave face, describes those long weeks in May and June as “just an experience to go through.” In her mind, she and her colleagues made the right decisions given the circumstances. But Lee wants the experience of her new hometown to be a message to other municipalities: support each other in times like these, and invest in security. After all, it can happen when you least expect it. “We’ve learned a lesson,” she says. “We’re sharing all that we can, so that they will learn from us and be more prepared. I think that’s the best defence we all have against a cybercriminal.”

with files from Michael Friscolanti