Government of Nunavut returns to paper records and phone calls following ransomware attack

The attack has had large and widespread impacts.

By Jane George, Nunatsiaq News - November 5, 2019
2059
A general view of Iqaluit, the capital of Nunavut, on October 8, 2019. (Stephane Mahe / Reuters)

This past weekend’s ransomware attack on the Government of Nunavut has had far-reaching consequences, having frozen the government’s communications and operating systems and revived the use of telephone calls, paper record-taking and faxes for communication among the territory’s departments.

For schools across Nunavut the attack means no internet access and possible delays in report cards. For others there will be “disruptions for the delivery of driver’s licences and identification cards,” according to a government news release.

And Nunavummiut may get their social assistance in “cheques if we need to,” said Nunavut Finance Minister George Hickes in the territorial legislature on Monday.

“We do expect some delays. This is a very serious issue,” Hickes said.

These are just a few of the many impacts spelled out in the legislature yesterday and later in a long news release from the Nunavut government on how the various department’s services are affected.

The GN has said it’s working to ensure that data is restored and accessible as soon as possible, and “expects the majority of files will be restored, using existing up-to-date back-ups.”

These are prepared monthly and yearly, in addition to nightly snapshots of activity.

A cybersecurity expert says that the best case is the GN will lose whatever data was created between snapshots.

Brett Callow, a B.C.-based spokesperson for Emsisoft, a company specializing in ransomware prevention, said if the backups were affected, “the choice is to pay the ransom or lose the data,” Callow said.

Generally speaking, an organization would probably be able to work out whether its backups were affected within a few hours, so the GN likely already knows what it can restore, he said.

While there are services that enable data encrypted by certain types of ransomware to be recovered without the ransom needing to be paid, “sadly, DoppelPaymer, the ransomware that attacked the GN operating system, isn’t one of those types,” he said.

So, the cheapest solution in such cases is often to pay up.

“Generally, paying ransom is the quickest and less expensive way to get a system up and going again,” Callow said.

Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a ransom to the attacker.

In many cases, the ransom demand comes with a deadline and if it’s not paid in time, the data is destroyed forever.

In the GN case, ransomware encrypted individual files on all servers and workstations.

The impacts are huge, as spelled out in the GN’s online guide on access to government services that came out late on Nov. 4.

For now, GN employees are unable to use their work email addresses or consult files stored online.

As well, calls cannot be transferred in GN offices in Iqaluit, so you must call the direct numbers of employees, and voicemail is not working. In the communities, the telephone system continues to work.

Many GN departments, including the Health Department, have reverted to paper records.

And employees, who are supposed to be paid next on Nov. 15, will have to wait as well to see money owed for expenses. Vendors, too, will have to wait for payment from the GN.

The Qulliq Energy Corp. remains unaffected.

Corrections also maintains records of all inmates outside the GN network, so information remains available to them to ensure important dates are identified and inmates remain unaffected, the GN said.

One piece of positive news is that the GN has said there is no concern at this time about the loss of personal information or privacy breaches.

According to a ransomware note received by the GN, which CBC News circulated on Sunday, the GN had a 48-hour deadline after Nov. 2 to contact the ransomware attack’s perpetrators and another deadline of 21 days to pay them a ransom.

It remains unclear how much the GN is being asked to pay in ransom. The highest ransom demanded this past year in a ransomware case was about $5.2 million, Callow said.

In one instance cited by Callow, the restoration of a network after ransomware cost $18 million — many times more than the ransom, so paying a ransom tends to be the smallest part of the cost of recovery, he said.

The GN may also be insured against such attacks, which would make the GN more likely to pay ransom.

But even paying the ransom will not guarantee that computer systems will be restored to normal, Callow said.

Callow said the kind of ransomware that attacked the GN would be spread through an email that contained malicious attachments.

Precautions to prevent such attacks can be costly, complicated and involve awareness training for workers to spot suspicious emails, said Callow. But it’s basically a case of “prepare today or pay tomorrow, ” he said.

Asked why the GN would be targeted, entities in the United States are on very high alert, Callow said.

“They’ve bolstered their IT and so are less likely to be comprised. Because of this, big game hunters are increasingly looking for opportunities in the other countries, including Canada,” he said.