New Brunswick

Officials confirm cyberattack on Saint John was ransomware

The recent cyber attack on the City of Saint John was ransomware, city officials confirmed at a news conference Tuesday afternoon.

No evidence that personal information was stolen, says city manager

Saint John city manager John Collin confirmed at a news conference Tuesday afternoon that the city's recent attack was ransomware. (Roger Cosman/CBC)

The City of Saint John has confirmed that the recent cyber attack against it was ransomware. 

But officials have declined to say how much was demanded or what systems were affected. 

At a news conference Tuesday afternoon, city manager John Collin said there's no evidence that anyone's personal information was stolen. 

"As of today, we do not have any indication that personal information was accessed or transferred. Determining this is a priority for us. When we know more, we will notify the community immediately."

He advised people to keep an eye on their bank accounts, just to be sure. 

While the city and several outside agencies continue their investigation, Saint John's website remains down and online payments are not possible. 

All options to restore our networks are still on the table.- John Collin, city manager

Parking, for example, is currently cash only. 

"There is no timeline yet for the restoration of our services, but it is safe to say that we are looking at weeks, not days," said Collin. 

He said no decision has been made about whether to give in to the hackers' ransom demands.

"All options to restore our networks are still on the table," said Collin. 

He said city officials are continuing to weigh their options and are working with "third-party vendors," legal experts, the city's insurance provider, and other levels of government. 

Collin wouldn't say whether a specific amount was named in the ransom demand or details about how the attack was first discovered late Friday. 

"Providing too much information would be problematic to the recovery efforts," he said. 

"We do not want to publicly provide details that could further compromise the city's position, including information on the effectiveness of the attack, the systems affected and the success of our containment efforts. 

"Providing this level of detail would be beneficial to the attacker as they could attempt further attacks."

He said other cyber criminals have already "taken heightened interest in Saint John because of the advertised attack on the city assets." 

Attack discovered Friday

Mayor Don Darling said "unusual activity" was discovered late Friday during routine monitoring and the city responded by shutting down all online resources. 

"Teams of experts immediately began investigating to determine what systems were impacted and took steps to isolate the breach and protect networks such as disabling the city's website, our servers, email etc.," said Darling.

Saint John mayor Don Darling said the cyberattack was discovered late Friday during 'routine monitoring.'

Collin said "critical city functions" are still operational, including transit, water and waste-water treatment services. Most "routine" operations are also still functioning, such as recreational facilities, solid waste management, public works, and customer service. 

Some have had to return to a more old-school approach with manual processing. 

Building permits, however, will not be issued until a manual system can be developed, said Collin.

Port City not alone

Saint John certainly isn't the first municipality to be hit with a ransomware attack. 

In April 2019, the Ontario city of Stratford experienced one. Hackers accessed the system, encrypted the data, then demanded a ransom of $75,000.

The city ended up paying it. 

Stratford Mayor Dan Mathieson said the municipality had little to say in the decision.

"To be quite candid, the insurance company drives the bus on that," Mathieson said. "You want to keep the coverage in place [so] they get a lot more say in the decision than maybe what you would expect.

"I can tell you that it was not the desired choice or outcome of the police service or the OPP cybercrime unit."

On top of the $75,000 ransom — and the cost to get back online after the attack — the city spent a lot of money beefing up its online security. 

Mathieson said the recent attack is "a stark reminder that cybersecurity criminals are lurking in all areas and trying to find the most vulnerable."

He said municipalities across the country "need to take a holistic approach and collaborate" to find the best security solutions and the buying power to get the best price for it. 

Through the ensuing investigation, Mathieson said the city learned that the hackers had malware planted in the system for six months before they made a move. But the city has not been told who was behind the attack because it's part of a continuing investigation. 

Mike Smit, an associate professor in Dalhousie University’s school of information management, says as long as the City of Saint John has an adequate system for backing up data, it should be up and running 'fairly quickly.' (Submitted by Mike Smit)

Mike Smit, an associate professor in Dalhousie University's school of information management, said it's not unusual for hackers to spend some time getting to know the system before making their move. 

He said they study what's available and try to figure out the biggest — and easiest — pay day. 

Sometimes, they decide to go after personal banking information and make several smaller attempts. Or they go after a lump-sum amount, shut down the system and demand a ransom. 

Then, there's a third variation, said Smit. If the hackers manage to collect a lot of personal, or sensitive information, they will threaten to publish it online if a ransom isn't paid. 

To pay or not to pay?

The question facing cities and organizations hit by ransomware attacks is whether to pay the ransom. 

Andrei Barysevich, CEO of Gemini Advisory, a Florida-based cyber intelligence company, said it's "a very philosophical question" that thousands of organizations across the world have been asking themselves in recent years. 

"The FBI, for example, strongly advises not to pay ransom because by making payments to the bad guys, we're basically incentivizing them to go out and do more attacks."

Barysevich said one well-known group recently bragged about making $100 million in just a few weeks. 

David Shipley, the CEO of Beauceron Security, a New Brunswick-based cybersecurity firm, said some cities and organizations are choosing to pay the ransom, while others refuse.

While paying a ransom may quickly solve the immediate access issue, it raises several concerns. For starters, even if the ransom is paid, does the threat go away? 

"Number two, these criminal groups will recycle that money … it's problematic because you're fuelling that organized crime," Shipley said. "And third, many of these groups are under U.S. sanctions, and so paying ransoms may trigger certain unhealthy international relations between Canada and the U.S."

Barysevich said ransoms are usually in the range of $50,000 to $250,000. 

'Pure capitalism'

"It's pure capitalism," Smit said.

"You have to price the thing that you have at a range in which people are willing to pay for it. So, again, if this is a ransomware attack, my guess is that the City of Saint John is not contemplating paying a ransom."

But if the hackers have accessed personal or sensitive data and threaten to post it online for anyone to download, Smit said municipalities may be tempted to pay up. 

"That type of ransom might be one that a city would contemplate paying to both protect its residents and protect itself from liability," he said. 

Now what?

Smit said the city should have backups in place that would allow it to wipe the system clean and then restore the backups. It will take some time to do all that, but as long as there are adequate backups, information should not be lost. 

"The City of Saint John, I am confident, has some pretty good backups. And as long as the backups weren't also compromised, they'll be able to get up and running fairly quickly once they're sure that their systems are clean. And they did mention that they're drawing on the provincial and federal resources that are in place to help them investigate and respond to this kind of incident."

Outside help

A spokesperson for the Department of Justice and Public Safety confirmed that provincial security and emergency staff "are actively monitoring the situation and have offered technical and operational assistance to the city if needed."

Coreen Enos said that includes officials from the office of the provincial security adviser, and the New Brunswick Emergency Measures Organization in the Department of Justice and Public Safety.

"The province also alerted municipalities and owners and operators of critical infrastructure in the province of the incident" Enos wrote in an email Tuesday afternoon. "Communications with municipalities and critical infrastructure partners began over the weekend. They continue to be updated through alerts and conference calls."

She said Saint John police investigators have contacted the RCMP's national cybercrime co-ordination unit and asked the New Brunswick RCMP digital forensics unit for help. 

With files from Information Morning Saint John